When working with SSL, SAML, JWT, or other cryptographic systems, it’s essential to ensure that your private key and certificate actually belong to each other. A mismatch can lead to hours of frustrating errors like:

• Failed to decrypt
• Invalid signature
• No matching private key found

I have encountered few of those errors and didn’t explored this possibility of mismatch. This post walks through how to quickly verify that a certificate and private key match using OpenSSL

Check modulus using OpenSSL

In RSA cryptography, the modulus is a large number that’s part of the public and private key pair. It’s generated during the key creation process and is mathematically tied between the two keys.

Think of it like a DNA marker for key pairs — if two keys have the same modulus, they’re from the same family (i.e., they were generated together).

Step 1: Check modulus of the certificate

openssl x509 -in certificate.crt -noout -modulus | openssl md5

Step 2: Check modulus of the private key

openssl rsa -in private.key -noout -modulus | openssl md5

✅ If the hashes match, the private key and certificate belong together.
❌ If they don’t match, they’re from different key pairs.