nerdexam
CompTIA

CNX-001 · Question #40

A network load balancer is not correctly validating a client TLS certificate. The network architect needs to validate the certificate installed on the load balancer before progressing. Which of the fo

The correct answer is D. openssl x509 -noout -modulus -in cert.crt | openssl md5. To verify that a private key and certificate are a matched pair, you compare the modulus of both. The command openssl x509 -noout -modulus -in cert.crt | openssl md5 extracts the modulus from the certificate file and hashes it with MD5. You then run the equivalent command on the

Cloud Network Operations and Troubleshooting

Question

A network load balancer is not correctly validating a client TLS certificate. The network architect needs to validate the certificate installed on the load balancer before progressing. Which of the following commands should the architect use to confirm whether the private key and certificate match?

Options

  • Aopenssl-list -noout -modulus -in cert.crt | openssl md5
  • Bopenssl req -in certificate.csr -verify
  • Copenssl-rsa -noout -modulus -in cert.crt | openssl md5
  • Dopenssl x509 -noout -modulus -in cert.crt | openssl md5

How the community answered

(44 responses)
  • A
    2% (1)
  • B
    5% (2)
  • C
    11% (5)
  • D
    82% (36)

Explanation

To verify that a private key and certificate are a matched pair, you compare the modulus of both. The command openssl x509 -noout -modulus -in cert.crt | openssl md5 extracts the modulus from the certificate file and hashes it with MD5. You then run the equivalent command on the private key file (openssl rsa -noout -modulus -in cert.key | openssl md5) - if the hashes match, the key and certificate are paired. Option A uses openssl-list, which is not a valid OpenSSL subcommand. Option B uses openssl req which is for CSR files, not certificates, and does not perform a key-match check. Option C uses openssl-rsa (with a hyphen, not a space) applied to a .crt file - openssl rsa is for private key files, not certificate files, making the file type mismatch an error.

Topics

#TLS certificates#openssl commands#Private key validation#Network troubleshooting

Community Discussion

No community discussion yet for this question.

Full CNX-001 Practice