Does my private key match my certificate

You install a new certificate, restart the server, and it refuses to start with a key values mismatch error. It means the certificate and the private key you paired it with do not belong together. Understanding why makes the fix quick.

Why they have to match

A certificate contains a public key. Somewhere on your server sits the matching private key. The two are a mathematical pair: data encrypted to the public key can only be unlocked by its private partner, and the TLS handshake relies on the server proving it holds that private key. If the certificate's public key and your private key are not partners, the server cannot complete the handshake, so it refuses to serve at all.

This happens most often when a certificate is reissued or renewed and the wrong key file is left in place, or when several domains' keys live in the same directory and the paths get crossed.

The check that proves a match

For RSA keys, both the certificate and the private key embed the same modulus, a very large shared number. If the moduli are identical, the pair matches. The classic command line check derives the modulus from each and compares:

the modulus of the certificate,
the modulus of the private key,
and, if you have it, the modulus of the CSR the key generated.

All three should be identical. For elliptic-curve keys the same idea applies to the public point rather than a modulus.

Doing it without exposing the key

The catch is that pasting a private key into a random website is exactly the kind of mistake that compromises a server. The check does not require sending the key anywhere; it can be done entirely on your own machine. The Key Matcher runs fully in your browser and never transmits what you paste, deriving and comparing the public keys locally. Once the pair is confirmed, reading the certificate's own fields confirms it is the right cert for the right host.