In order to verify that OpenSSL key matches certificate you can run following command: For key:
openssl rsa -noout -modulus -in yourdomain.key | openssl md5
and for certificate:
openssl x509 -noout -modulus -in yourdomain.crt | openssl md5
and for CSR (Certificate Signing Request):
openssl req -noout -modulus -in yourdomain.csr | openssl md5
In all cases you should get the same output, for example:
If the output is the same in all cases this means that keys match certificate. If the output is different in even one case, you have a mismatch somewhere.
If you have multiple certificates in one .crt file, for example your domain SSL certs and CA certs, make sure your certificate is at the top of the file, because this tool checks only first certificate from the input file.