5

Setting up an AWS instance with the instructions here, I create a public/private keypair. I understand the public key fingerprint is usually just a hash of the public key.

However, the instructions here show that you can confirm that your private key and public key match by verifying their fingerprints are the same. In other words, running a function on my private key file on my local machine yields the same fingerprint for the public key.

How is this possible? How are the private and public keys linked in any way such that they produce the same fingerprint, and how does this verification process work?

AlwaysQuestioning
  • 153
  • 5

1 Answers1

6

Pubkey is INCLUDED in privkey

It's a bit confusing but the way these members of the keypair are saved is such that the pubkey is a proper subset of the information inside the privkey.

This means that all the information of the pubkey is contained inside the privkey structure.

So what the AWS guys are doing is using openssl's -pubout switch to derive the pubkey from the privkey and then take the checksum. And they compare that to the checksum that is DIRECTLY taken off of the pubkey.

Further reading

In depth explanation about how improperly and properly check if a cert's pubkey matches a privkey:

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86