How to verify that an SSL key, certificate and CSR match

These commands will output a short string of characters.
If the characters match, then they belong together.

openssl x509 -noout -modulus -in mydomain.crt | openssl md5
openssl rsa -noout -modulus -in mydomain.key | openssl md5
openssl req -noout -modulus -in mydomain.csr | openssl md5

How to to decrypt an SSL Key

When you setup SSL in Server Admin, the ‘key’ is stored RSA encrypted.

If you want to use your certificate outside of Server Admin, you’ll need the passphrase or a non-encrypted copy of the key.

There are a few approaches, here’s one:

The certificates are stored in /etc/certificates, so lets go there:

cd /etc/certficates

Take a look at all the keys/certs in this directory:


For every cert you created, you will see several files [cert key concat & chain] You might even see more than one set for your certificate. Each set has a unique ID in the name of each file in the set.

If you want to decrypt the key for, and you see more than one set, you can see which is the latest by viewing the list sorted by date.

ls -alt

Now you know which key you would like to decrypt. We’ll need the passphrase, here’s how we get it:

  • Copy the unique ID to your clipboard.
  • Open the Keychain Access application from your Utilities folder.
  • Search for the unique ID, and double-click it to view the details.
  • Click the Show password button (enter your credentials)
  • Copy the password to your clipboard, this is the RSA passphrase

Now lets make a non-encrypted copy of the key.

sudo openssl rsa -in -out ~/Desktop/

When asked, paste the passphrase you copied to your clipboard earlier.

Thats it.
The non-encrypted key is now on your desktop now.