Certificate Key Matcher
More Information About the Certificate Key Matcher
The Certificate Key Matcher confirms that a private key and an SSL certificate belong together — useful as a pre-deployment check, so you don't push a certificate paired with the wrong key and break TLS on your server.
How the check works:
- The tool extracts the public key from the certificate you paste.
- It signs a small piece of random data with the private key you paste.
- It verifies that signature using the certificate's public key.
- If the signature verifies, the key and certificate are a matching pair. If not, they don't belong together.
Supported inputs:
- Certificate — PEM (
-----BEGIN CERTIFICATE-----) or DER. - Private key — PEM-encoded RSA, ECC (
P-256/P-384/P-521), or DSA. Both PKCS#1 (BEGIN RSA PRIVATE KEY) and PKCS#8 (BEGIN PRIVATE KEY) formats are accepted.
Security note: never paste a production private key into any tool you don't fully trust. This check runs entirely in your browser using the Web Crypto API and the private key is never transmitted — but you should still treat private keys with the same care you would a password. If you suspect a key has been exposed, rotate it.
If the keys don't match, generate a fresh pair with the CSR Generator and have the certificate re-issued.
Certificate
Paste or import a certificate in PEM or DER form.
Supports .crt, .cer, .pem, .der, and .txt files.
Private Key
Paste or import an RSA or EC private key.
Supports PEM private keys such as PRIVATE KEY, RSA PRIVATE KEY, and EC PRIVATE KEY.


