Home > Resources > Tools > Cert Key Matcher

Certificate Key Matcher

Check whether a certificate and private key belong together, entirely inside your browser.
More Information About the Certificate Key Matcher

The Certificate Key Matcher confirms that a private key and an SSL certificate belong together — useful as a pre-deployment check, so you don't push a certificate paired with the wrong key and break TLS on your server.

How the check works:

  • The tool extracts the public key from the certificate you paste.
  • It signs a small piece of random data with the private key you paste.
  • It verifies that signature using the certificate's public key.
  • If the signature verifies, the key and certificate are a matching pair. If not, they don't belong together.

Supported inputs:

  • Certificate — PEM (-----BEGIN CERTIFICATE-----) or DER.
  • Private key — PEM-encoded RSA, ECC (P-256 / P-384 / P-521), or DSA. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are accepted.

Security note: never paste a production private key into any tool you don't fully trust. This check runs entirely in your browser using the Web Crypto API and the private key is never transmitted — but you should still treat private keys with the same care you would a password. If you suspect a key has been exposed, rotate it.

If the keys don't match, generate a fresh pair with the CSR Generator and have the certificate re-issued.

Certificate

Paste or import a certificate in PEM or DER form.

Supports .crt, .cer, .pem, .der, and .txt files.

Private Key

Paste or import an RSA or EC private key.

Supports PEM private keys such as PRIVATE KEY, RSA PRIVATE KEY, and EC PRIVATE KEY.

Contact Us: General enquiries or free consultation

We’re really grateful for giving us a chance to connect with you. Please do not hesitate to ask us anything and we will respond to you asap.

image

    You have read, understood and agree to be bound by Netrust's Personal Data Protection Policy and Terms of Service.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.