Verifying a Private Key Matches an SSL Certificate Using OpenSSL
Amanda DavisShare
Every key values mismatch error on every platform comes down to one question, whether the Private Key on the server actually pairs with the SSL Certificate being installed. OpenSSL answers it in seconds, before any configuration is touched, and making this check a habit removes a whole category of failed installations.
The Public Key Hash Method
A Private Key and its SSL Certificate share the same public key, so extracting the public key from each and comparing a hash of the two settles the question definitively. This approach works for RSA and Elliptic Curve Cryptography (ECC) material alike, which makes it the method worth memorizing.
Run the two commands and compare their output, which must be identical character for character.
openssl x509 -in yourdomain.crt -noout -pubkey | openssl sha256
openssl pkey -in yourdomain.key -pubout | openssl sha256
Matching hashes prove the pair belongs together, and any installation problem lies elsewhere. Differing hashes prove the opposite, and no amount of configuration will make the pair work.
Checking a Certificate Signing Request
The same comparison extends to a Certificate Signing Request (CSR), which is useful before submission to confirm the request came from the key you think it did.
openssl req -in yourdomain.csr -noout -pubkey | openssl sha256
All three hashes matching means the key, the request, and the issued SSL Certificate form one consistent set. Learn About Generating a CSR 🔗
Reading a Mismatch Correctly
A mismatch almost always means the Certificate Signing Request (CSR) was regenerated at some point after submission, replacing the original Private Key with a new one. The issued SSL Certificate still pairs with the original key, which no longer exists, and the new key pairs with nothing issued.
Less commonly, the files simply belong to different domains or different orders, mixed up in a directory of similar names. The subject of the SSL Certificate is quick to confirm.
openssl x509 -in yourdomain.crt -noout -subject -enddate
Tip : Run the hash comparison the moment your SSL Certificate arrives, before touching any server configuration. A mismatch caught at this stage costs one reissue, while the same mismatch discovered mid-installation costs an outage window as well.
When the check fails despite correct files, only one path remains.
Resolving a Genuine Mismatch
When the hashes disagree and the files are confirmed to be the right ones, the resolution is a reissue. Generate a fresh Certificate Signing Request (CSR) on the server, complete the reissue against it, and run the comparison again on the replacement before installing. Learn About Reissuing Your SSL Certificate 🔗
Trustico® does not retain Private Keys, so a lost or replaced key always resolves through reissue rather than recovery, which is also exactly how the system is designed to behave from a security standpoint. The wider topic of Private Key handling rewards a deeper read. Learn About Private Key Information 🔗
