Certificate & Private Key Matcher
Check whether an SSL certificate and a private key belong together, right in your browser. Your private key is processed on your device and never uploaded.
Your certificate and private key are parsed and matched entirely in your browser and never uploaded. Still, avoid pasting production private keys into any online tool you do not control.
Converting a key format? Try the PPK ↔ PEM Converter.
About Certificate & Private Key Matcher
This certificate and private key matcher confirms that an X.509 certificate (or a CSR) and a private key actually belong together — the check you would otherwise run with two openssl commands and compare by eye. Paste your certificate or CSR in one box and the private key in the other, and it tells you MATCH or NO MATCH. To show you why, it derives the public key from each input, serializes it to a canonical form, and displays a SHA-256 fingerprint for each: when the fingerprints are identical the pair is valid, and a difference is the classic modulus mismatch. It supports RSA keys, handles an optional passphrase for an encrypted private key, and gives clear errors for unparseable PEM. Everything runs entirely in your browser, so your private key is processed on your device and never uploaded.
Features
- Confirms a certificate and private key belong together with a clear MATCH / NO MATCH verdict
- Also matches a CSR against the private key that generated it
- Shows a SHA-256 public-key fingerprint for each input so you can see exactly why they do or do not match
- Detects and labels whether you pasted a certificate or a CSR
- Accepts an optional passphrase for an encrypted (PEM) private key
- Reports readable errors for malformed PEM instead of cryptic failures
- Works with RSA keys in PKCS#1 and PKCS#8 PEM formats
- Runs fully client-side so the private key never leaves your device
How to use the Certificate & Private Key Matcher
- Paste your X.509 certificate or CSR into the left box.
- Paste the matching private key into the right box.
- If the key is encrypted, enter its passphrase in the field below.
- Read the MATCH or NO MATCH verdict and compare the two public-key fingerprints.
Example
Input
# The classic openssl equivalent this tool replaces:
openssl x509 -noout -modulus -in cert.pem | openssl sha256
openssl rsa -noout -modulus -in key.pem | openssl sha256
Output
MATCH
Cert key a1b2c3… (RSA 2048-bit)
Priv key a1b2c3…
Identical fingerprints — the certificate and key belong together.
Instead of running two openssl modulus commands and comparing hashes, paste the two files and read the verdict.
Common errors & troubleshooting
- The tool reports NO MATCH even though you expected the files to pair. — You likely pasted a certificate and a key from different pairs, or an old key after reissuing the certificate. Compare the two fingerprints and re-check which key was used to create this certificate or CSR.
- You see "Could not parse the certificate or CSR". — Make sure you pasted the full PEM block including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. A DER (.der/.cer) file must be converted to PEM first.
- You see "Could not decrypt the private key". — Enter the correct passphrase in the passphrase field. If the key uses an unsupported cipher, remove the passphrase with your key tooling and paste the unencrypted PEM.
- An EC key is not recognized. — Matching currently supports RSA private keys in PEM. For an EC key, compare the public keys with your own tooling for now.
Frequently asked questions
- How do I check if a private key matches a certificate?
- Paste the certificate (or CSR) and the private key into the two boxes. The tool derives the public key from each, shows a SHA-256 fingerprint for both, and reports MATCH when they are identical — the same result as comparing openssl modulus hashes, but without the command line.
- What is a modulus mismatch?
- For RSA, a certificate and its private key share the same modulus, so they produce the same public key. A modulus mismatch means the certificate and key came from different pairs and will not work together — for example if a key was regenerated after the certificate was issued.
- Is my private key uploaded anywhere?
- No. The certificate, CSR, and private key are parsed and compared entirely in your browser. Your private key is processed on your device and never sent to a server.
- Can I match a CSR to its private key?
- Yes. Paste a certificate signing request instead of a certificate and it is matched against the private key the same way — useful before submitting a CSR to a certificate authority.
- Does it support encrypted private keys?
- Yes. If your private key is passphrase-protected, enter the passphrase in the field below the key box and the tool decrypts it locally to derive its public key.
- Which key types are supported?
- RSA private keys in PKCS#1 and PKCS#8 PEM formats are supported, matched against RSA certificates and CSRs. Support for EC keys may follow.
Related tools
- PPK ↔ PEM Converter — Convert SSH private keys between PuTTY .ppk and OpenSSH/PEM (RSA & Ed25519) — locally in your browser.
- SSH Key Generator — Generate Ed25519, RSA or ECDSA SSH keypairs in your browser and download the public and private keys.
- JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- Basic Auth Generator — Generate and decode HTTP Basic Auth Authorization headers from a username and password.
All ArrayKit tools