Certificate & Private Key Matcher

Check whether an SSL certificate and a private key belong together, right in your browser. Your private key is processed on your device and never uploaded.

Your certificate and private key are parsed and matched entirely in your browser and never uploaded. Still, avoid pasting production private keys into any online tool you do not control.

Converting a key format? Try the PPK ↔ PEM Converter.

About Certificate & Private Key Matcher

This certificate and private key matcher confirms that an X.509 certificate (or a CSR) and a private key actually belong together — the check you would otherwise run with two openssl commands and compare by eye. Paste your certificate or CSR in one box and the private key in the other, and it tells you MATCH or NO MATCH. To show you why, it derives the public key from each input, serializes it to a canonical form, and displays a SHA-256 fingerprint for each: when the fingerprints are identical the pair is valid, and a difference is the classic modulus mismatch. It supports RSA keys, handles an optional passphrase for an encrypted private key, and gives clear errors for unparseable PEM. Everything runs entirely in your browser, so your private key is processed on your device and never uploaded.

Features

How to use the Certificate & Private Key Matcher

  1. Paste your X.509 certificate or CSR into the left box.
  2. Paste the matching private key into the right box.
  3. If the key is encrypted, enter its passphrase in the field below.
  4. Read the MATCH or NO MATCH verdict and compare the two public-key fingerprints.

Example

Input

# The classic openssl equivalent this tool replaces:
openssl x509 -noout -modulus -in cert.pem | openssl sha256
openssl rsa  -noout -modulus -in key.pem  | openssl sha256

Output

MATCH
Cert key  a1b2c3…  (RSA 2048-bit)
Priv key  a1b2c3…
Identical fingerprints — the certificate and key belong together.

Instead of running two openssl modulus commands and comparing hashes, paste the two files and read the verdict.

Common errors & troubleshooting

Frequently asked questions

How do I check if a private key matches a certificate?
Paste the certificate (or CSR) and the private key into the two boxes. The tool derives the public key from each, shows a SHA-256 fingerprint for both, and reports MATCH when they are identical — the same result as comparing openssl modulus hashes, but without the command line.
What is a modulus mismatch?
For RSA, a certificate and its private key share the same modulus, so they produce the same public key. A modulus mismatch means the certificate and key came from different pairs and will not work together — for example if a key was regenerated after the certificate was issued.
Is my private key uploaded anywhere?
No. The certificate, CSR, and private key are parsed and compared entirely in your browser. Your private key is processed on your device and never sent to a server.
Can I match a CSR to its private key?
Yes. Paste a certificate signing request instead of a certificate and it is matched against the private key the same way — useful before submitting a CSR to a certificate authority.
Does it support encrypted private keys?
Yes. If your private key is passphrase-protected, enter the passphrase in the field below the key box and the tool decrypts it locally to derive its public key.
Which key types are supported?
RSA private keys in PKCS#1 and PKCS#8 PEM formats are supported, matched against RSA certificates and CSRs. Support for EC keys may follow.

Related tools

All ArrayKit tools