How to verify that SSL certificate matches key

In order to verify that OpenSSL key matches certificate you can run following command: For key:

openssl rsa -noout -modulus -in  yourdomain.key | openssl md5

and for certificate:

openssl x509 -noout -modulus -in  yourdomain.crt | openssl md5

and for CSR (Certificate Signing Request):

openssl req -noout -modulus -in  yourdomain.csr <span style="box-sizing: border-box; color: #2aa198;">| openssl md5</span>

In all cases you should get the same output, for example:


If the output is the same in all cases this means that keys match certificate. If the output is different in even one case, you have a mismatch somewhere. If you have multiple certificates in one .crt file, for example your domain SSL certs and CA certs, make sure your certificate is at the top of the file, because this tool checks only first certificate from the input file.