CNX-001 · Question #40
A network load balancer is not correctly validating a client TLS certificate. The network architect needs to validate the certificate installed on the load balancer before progressing. Which of the fo
The correct answer is D. openssl x509 -noout -modulus -in cert.crt | openssl md5. To verify that a private key and certificate are a matched pair, you compare the modulus of both. The command openssl x509 -noout -modulus -in cert.crt | openssl md5 extracts the modulus from the certificate file and hashes it with MD5. You then run the equivalent command on the
Question
A network load balancer is not correctly validating a client TLS certificate. The network architect needs to validate the certificate installed on the load balancer before progressing. Which of the following commands should the architect use to confirm whether the private key and certificate match?
Options
- Aopenssl-list -noout -modulus -in cert.crt | openssl md5
- Bopenssl req -in certificate.csr -verify
- Copenssl-rsa -noout -modulus -in cert.crt | openssl md5
- Dopenssl x509 -noout -modulus -in cert.crt | openssl md5
How the community answered
(44 responses)- A2% (1)
- B5% (2)
- C11% (5)
- D82% (36)
Explanation
To verify that a private key and certificate are a matched pair, you compare the modulus of both. The command openssl x509 -noout -modulus -in cert.crt | openssl md5 extracts the modulus from the certificate file and hashes it with MD5. You then run the equivalent command on the private key file (openssl rsa -noout -modulus -in cert.key | openssl md5) - if the hashes match, the key and certificate are paired. Option A uses openssl-list, which is not a valid OpenSSL subcommand. Option B uses openssl req which is for CSR files, not certificates, and does not perform a key-match check. Option C uses openssl-rsa (with a hyphen, not a space) applied to a .crt file - openssl rsa is for private key files, not certificate files, making the file type mismatch an error.
Topics
Community Discussion
No community discussion yet for this question.