One of the most common SSL installation errors is a certificate and private key mismatch. You install a new SSL certificate, restart your web server — and it refuses to start. The error log says something like "SSL_CTX_use_PrivateKey_file: key values mismatch" or "certificate and private key do not match". This is the most common cause of SSL handshake failures after a certificate renewal.
The Anonymiz Certificate Key Matcher lets you verify the match in seconds without any command line tools.
Why Certificate and Key Mismatch Happens
An SSL certificate is mathematically tied to the private key that was used to generate its Certificate Signing Request (CSR). The certificate contains the public key derived from that private key. For SSL to work, your server must have both the matching certificate and the corresponding private key.
Mismatches happen most commonly in three situations:
- Renewing a certificate — A new CSR is generated (creating a new private key) but the old certificate is replaced without updating the private key file.
- Moving certificates between servers — The certificate is copied to a new server but the private key is not, or a different key file is used.
- Multiple domains — The wrong certificate file is used when multiple certificates are managed on the same server.
How to Check If They Match
The traditional way is to compare the modulus of both files using OpenSSL on the command line. If the MD5 hash output of both commands is identical, they match:
openssl x509 -noout -modulus -in certificate.pem | md5sum
openssl rsa -noout -modulus -in private.key | md5sum
If you do not have OpenSSL installed or prefer a browser-based check, the Certificate Key Matcher does the same check server-side. Paste your certificate PEM and private key PEM into the two boxes and click Check Match. The tool extracts the public key from both and compares them cryptographically.
What the Result Means
If the certificate and key match, the tool shows a green confirmation along with the certificate details — domain, issuer, validity period, key type and key size. If they do not match, you will see a red mismatch warning. In that case, you need to either obtain a new certificate using a CSR generated from your current private key, or locate the correct private key that was generated alongside this certificate.
Fixing a Mismatch
If your certificate and key do not match, the fix depends on what you have:
- You have the original private key somewhere — Search your server for .key files. Use the matcher to test each one against the certificate until you find the matching pair.
- You do not have the original private key — You need a new certificate. Use the CSR Generator to create a new CSR and private key pair, submit the CSR to your Certificate Authority and install the new certificate with its matching key.
Check Your Certificate Now
The Certificate Key Matcher is free, requires no login and runs the check server-side using PHP OpenSSL. Your private key is never logged, stored or transmitted beyond the check. Results appear in seconds.
