Key Matcher
Check whether a PEM private key matches a certificate. The key never leaves your browser.
About the Key Matcher
Key Matcher answers a common deployment question: does this private key belong to this certificate? Paste both PEM blocks and the tool compares the public key material derived from the private key against the public key embedded in the certificate. For RSA keys it checks that the modulus and exponent match.
Installing a certificate without the matching private key is a frequent cause of TLS handshake failures after a renewal. Before reloading nginx, Apache, or a load balancer, run a quick match check so you know the pair is correct.
The private key is parsed entirely in your browser. It is never uploaded, logged, or sent to any server. That is the only safe way to handle private key material in a web tool, and we state it plainly because pasted keys are as sensitive as passwords.
RSA keys are fully compared in the browser. Elliptic curve and Ed25519 keys may need OpenSSL verification on your machine for definitive results; the tool will say so when comparison is inconclusive.
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
Is my private key sent to a server?
No. Both the private key and certificate are parsed locally in your browser. Nothing is uploaded.
Which private key formats work?
PEM encoded PKCS#8 (BEGIN PRIVATE KEY), PKCS#1 (BEGIN RSA PRIVATE KEY), and EC private keys (BEGIN EC PRIVATE KEY) are accepted when node-forge can parse them.
What does a mismatch mean?
The certificate was issued for a different key pair. Installing it with this private key will fail TLS handshakes. You need the correct key or a reissued certificate.
Can I match a CSR instead of a certificate?
This tool expects a certificate. A CSR contains the public key from the same key pair, so openssl req and x509 commands on your machine are the right path for CSR comparison.
Does it work with encrypted (passphrase protected) keys?
Passphrase protected PEM is not supported in the browser. Decrypt the key locally with openssl rsa or openssl pkcs8 first, then paste the unencrypted PEM.