New: Post-Quantum Cryptography tools — is your domain quantum-safe? Check now
EP Cybertools Logo EP Cybertools

SSL Tools

Certificate Key Matcher

Verify that your SSL certificate and private key are a matching pair — 100% client-side

Your private key never leaves your browser. All verification is 100% client-side.

Why Certificate-Key Matching Matters

SSL/TLS certificates and private keys are generated as mathematically linked pairs. When deploying HTTPS on a web server, you must provide a certificate and its corresponding private key. If they do not match, the server will fail to start TLS handshakes and visitors will see connection errors.

Mismatches commonly occur when certificates are renewed without generating a new key, when multiple certificates exist for the same domain, or when files are accidentally mixed up during server migration. System administrators managing many domains are especially prone to this issue.

The modulus comparison method is the standard way to verify a match. Both the certificate's public key and the private key contain the same RSA modulus (a large prime product). By extracting and hashing the modulus from each, we can quickly determine if they belong to the same key pair. This tool computes the MD5 hash of each modulus entirely in your browser using the node-forge library — your private key is never transmitted anywhere.

Frequently Asked Questions

How does modulus comparison work?

An RSA key pair shares a common modulus — the product of two large primes. The certificate contains the public key (with the modulus), and the private key also contains this modulus. If both modulus values are identical, the certificate and key are a matching pair.

Is it safe to paste my private key here?

Yes. This tool runs entirely in your browser using the node-forge JavaScript library. Your private key is never sent to any server. You can verify this by checking your browser's Network tab — no requests are made when you click Verify.

What formats are supported?

This tool supports PEM-encoded RSA certificates and private keys. PEM files are Base64-encoded text starting with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- / -----BEGIN PRIVATE KEY-----. If you have DER or PFX files, convert them to PEM first using our SSL Converter tool.

What if my certificate and key don't match?

If they don't match, you likely have the wrong key for your certificate. You'll need to either find the correct private key that was used to generate the CSR for this certificate, or generate a new CSR with your existing key and request a new certificate from your CA.