SSL Matcher (Certificate, CSR, and Key)
Match a TLS certificate against a CSR or RSA private key with SPKI pin comparison, chain warnings, encrypted-key handling, and exportable evidence.{{ summaryHeading }}
Current status
| Signal | Status | Detail | Copy |
|---|---|---|---|
| {{ recommendationHeadline }} | {{ recommendationHeadline }} | {{ recommendationText }} | |
| {{ row.label }} | {{ row.status }} | {{ row.detail }} |
| Field | Value | Copy |
|---|---|---|
| {{ row.k }} | {{ row.v }} | |
| No details available. | ||
| # | Signal note | Copy |
|---|---|---|
| {{ idx + 1 }} | {{ note }} |
Introduction
Certificate and key mismatches usually surface after the surrounding work already looks finished. The certificate file has the right hostname, the renewal ticket is closed, and the web server configuration points at familiar paths, yet the listener refuses to start or the TLS handshake fails. The hidden cause is often simple: the certificate, certificate signing request, and private key do not all describe the same public key.
A TLS certificate publishes a public key and binds it to subject names, issuer data, serial number, validity dates, and extensions. A certificate signing request, or CSR, contains the public key that was sent to the certificate authority before issuance. A private key contains secret material, but an RSA private key also contains enough public values to rebuild the public half for comparison. Matching is therefore about public-key identity, not filenames, common names, or renewal dates.
The useful continuity marker is SubjectPublicKeyInfo, usually shortened to SPKI. SPKI carries the public key and its algorithm identifier in a stable structure. Hashing that structure creates an SPKI pin, which stays the same when the same key pair is reused across a reissued certificate and changes when a key rotation or accidental file mix-up introduces a different key.
- A renewal can change serial number, issuer signature, dates, and extensions while keeping the same key pair.
- A planned key rotation should make the new certificate stop matching the old CSR or old private key.
- A migration can copy a certificate chain but leave the matching private key on the old host.
- A support attachment can put an intermediate certificate before the leaf, causing the wrong certificate block to be compared.
A key match is not a full certificate audit. It does not prove browser trust, hostname coverage, certificate-chain completeness, revocation status, expiry policy, service configuration, or private-key safety after compromise. It answers the narrower deployment question of whether the supplied certificate material belongs to the same key pair.
How to Use This Tool:
Start with the certificate that will be installed, then add the CSR, private key, or both peers you want to compare.
- Paste the leaf certificate into Certificate PEM or choose Browse certificate. PEM, CRT, CER, and TXT files are accepted; when a chain is pasted, the first
CERTIFICATEblock becomes the comparison target. - Paste the request into CSR PEM when you want to confirm that the issued certificate belongs to a saved CSR. Standard CSR boundaries,
NEW CERTIFICATE REQUESTboundaries, and bare base64 CSR text are accepted. - Paste the deployment key into Private key PEM when you want to compare certificate-to-key material. The private-key path supports RSA private keys, including RSA key material in PKCS#8 PEM.
- Open Advanced and fill Key passphrase only for encrypted keys. A missing or wrong passphrase reports a decryption error before a match verdict appears.
- Adjust Fingerprint preview from 12 to 44 characters when visible SPKI pins need more or less room. This changes badges and tables only; JSON keeps full pins.
- Choose Match key material. If only Certificate PEM is filled, the button reads Inspect certificate and the result reports NEEDS PEER because no CSR or key was supplied.
- Read Key Match Brief first. Use Fingerprint Ledger for subjects, issuer, serial, validity, key summaries, SPKI pins, chain count, and warnings; use Match Signals for the shorter operational narrative.
Interpreting Results:
MATCH means every available SPKI comparison is equal. MISMATCH means at least one supplied peer exposes a different public key. NEEDS PEER means the certificate parsed, but there was no CSR or private key to compare against it.
The SPKI pin is the deciding value. A certificate and key can share a host label in their filenames and still mismatch, while a renewed certificate can have new document fields and still match the old CSR or RSA key. A match is a strong file-pairing clue, not proof that the certificate is ready for production traffic.
| Cue | Meaning | Follow-up |
|---|---|---|
| Certificate vs CSR: Match | The issued certificate and request carry the same public key. | Confirm the requested names and certificate extensions are the intended ones. |
| Certificate vs private key: Mismatch | The pasted RSA private key does not belong with the certificate. | Find the original key or issue a replacement certificate from the key that will be deployed. |
| CSR Signature Verified: No | The CSR parsed, but its own signature failed against its embedded public key. | Regenerate the CSR before relying on it as request evidence. |
| Certificate Blocks Found greater than 1 | The certificate input contains a chain and only the first certificate block was compared. | Move the leaf certificate to the top before treating a mismatch as a key problem. |
Technical Details:
X.509 certificates and PKCS #10 CSRs both include a SubjectPublicKeyInfo structure. SPKI contains the public key and the algorithm identifier needed to interpret it. Because the structure represents the key rather than the whole certificate document, it remains useful across reissuance when the key pair is intentionally reused.
A CSR also includes a signature over its request information. When that signature verifies, the CSR is internally consistent and was signed with the private key corresponding to the request public key. That does not prove that a CA issued the final certificate from that exact request, so the SPKI comparison remains the continuity check.
RSA private keys can be compared because their public modulus and exponent can rebuild the public key. Once rebuilt, the public half can be encoded as SPKI and pinned in the same way as the certificate and CSR public keys. Non-RSA private keys do not produce a private-key comparison result here.
Transformation Core:
The SPKI pin is the base64-encoded SHA-256 digest of the DER-encoded SubjectPublicKeyInfo.
| Material | Public-key source | Important boundary |
|---|---|---|
| Certificate | The first certificate block supplies subject, issuer, serial, validity, key summary, chain count, and SPKI pin. | Later certificates in a pasted chain are counted but not used as the leaf comparison target. |
| CSR | The request supplies subject details, a self-signature result, key summary, and SPKI pin. | A verified CSR proves request consistency, not certificate issuance or hostname approval. |
| RSA private key | The modulus and public exponent rebuild the RSA public key before SPKI pinning. | An encrypted key must decrypt first; unsupported key types stop before private-key matching. |
Rule Core:
| Status | Rule | What remains unchecked |
|---|---|---|
| MATCH | At least one peer artifact is supplied, and every available SPKI comparison is equal. | Trust chain, hostname coverage, revocation, expiry policy, listener configuration, and file permissions. |
| MISMATCH | At least one available SPKI comparison differs. | Which file is stale or misplaced when several similar certificates, CSRs, or keys are present. |
| NEEDS PEER | The certificate parses successfully, but no CSR or private key was supplied. | Whether the deployment key or saved request belongs with the certificate. |
Privacy Notes:
The matching action parses certificate, CSR, private key, and passphrase text in the browser session. The passphrase is not included in exported result data. Private keys remain sensitive even when the comparison runs locally, so avoid pasting production keys on shared machines, untrusted browser sessions, screen-shared systems, or browsers with extensions you do not control.
Worked Examples:
Renewal checked against a saved CSR. A renewed certificate for www.example.com is pasted into Certificate PEM, and the saved request from the order is pasted into CSR PEM. Key Match Brief shows MATCH, Certificate vs CSR shows Match, and CSR Signature Verified shows Yes. That confirms public-key continuity for the request, while hostname, chain, and expiry checks still remain.
Migration with an old server key. A team copies site.crt from the new certificate file set and old-site.key from a retired host. Certificate vs private key reports Mismatch, and Match Signals states that at least one public-key fingerprint differs. The correct fix is to locate the original key or request a new certificate for the key that will be installed.
Intermediate certificate pasted first. A ticket attachment contains an intermediate certificate followed by the leaf certificate. Certificate Blocks Found is greater than 1, and the warning says only the first certificate block was matched. Moving the leaf certificate to the top of Certificate PEM can change an apparent mismatch into the expected result.
Encrypted RSA key without a passphrase. An encrypted private key is pasted into Private key PEM while Key passphrase is blank. The result reports the encrypted-key problem instead of guessing. Enter the passphrase, run Match key material again, and then read the Certificate vs private key row.
FAQ:
Does a match mean the certificate is ready to install?
No. A match proves public-key identity across the supplied certificate, CSR, and RSA private key. Chain trust, hostname coverage, revocation, expiry policy, service configuration, and key-file permissions still need separate checks.
Why can a renewed certificate match an old CSR?
A renewed certificate can reuse the same public key while changing serial number, validity dates, issuer signature, and extensions. The SPKI pin stays the same when the public key stays the same.
Can EC private keys be compared?
The private-key comparison path supports RSA private keys. Certificates and CSRs may still expose other public-key types, but a non-RSA private key will not produce the private-key match row.
Why did a pasted certificate chain mismatch the CSR?
The certificate field uses the first CERTIFICATE block as the target. If an intermediate appears before the leaf, the comparison uses the intermediate public key and can report a mismatch.
What should I do when an encrypted key will not decrypt?
Enter the passphrase in Key passphrase and run the match again. If decryption still fails, confirm the PEM type and passphrase before assuming the certificate is wrong.
Is it safe to paste a production private key?
Treat production private keys as secrets. The matching action runs in the browser session, but clipboard history, browser extensions, screen sharing, shared machines, and local malware can still expose sensitive key material.
Glossary:
- Leaf certificate
- The end-entity certificate installed for a hostname, service, device, or client identity.
- CSR
- A certificate signing request containing a subject name, public key, optional requested attributes, and a signature made with the matching private key.
- Private key
- The secret half of a key pair. For RSA, the public half can be reconstructed for comparison, but the private key itself must stay protected.
- SPKI
- SubjectPublicKeyInfo, the structure that carries a public key and its algorithm information.
- DER
- Distinguished Encoding Rules, the stable binary ASN.1 encoding used before hashing the SPKI structure.
- PKCS#8
- A common private-key container format that can hold RSA key material, including encrypted private keys.
References:
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile, RFC Editor, May 2008.
- RFC 2986: PKCS #10 Certification Request Syntax Specification, RFC Editor, November 2000.
- RFC 7469: Public Key Pinning Extension for HTTP, RFC Editor, April 2015.
- How to verify a certificate chain using OpenSSL, Simplified Guide.
- How to generate a private key using OpenSSL, Simplified Guide.