How to verify that a CA certificate matches a private key
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Purpose
The procedure documented below will be helpful to confirm that the certificate issued by CA is related to the CSR and private key. This will be helpful while troubleshooting issues related to SSL certificate renewal in Jira.
Solution
To confirm that a particular private key matches the public key contained in a certificate signing request (CSR) and certificate, one must confirm that the moduli of both keys are identical. This can be done straightforwardly with OpenSSL on Linux/Unix, macOS, or Windows (with Windows 10’s Linux subsystem or Cygwin), as follows:
To view the md5 hash of the modulus of the private key:
openssl rsa -noout -modulus -in mykey.key | openssl md5
To view the md5 hash of the modulus of the CSR:
openssl req -noout -modulus -in mycsr.csr | openssl md5
To view the md5 hash of the modulus of the certificate:
openssl x509 -noout -modulus -in mycert.crt | openssl md5
Compare the 'modulus' from these three commands. A matching certificate and private key will have the same modulus value. If all three hashes match, the CSR, certificate, and private key are compatible.