All HowTo's Cyber-Security Web Servers

Check if your SSL certificate and Key match

This article shows how to check if your SSL key and certificate match. Why would you do this? Suppose you’ve just purchased a certificate and in the process mixed up your files OR perhaps the files aren’t named in the way the documentation suggests they are.

Let’s first see what you have. You should have your CSR file (the file that you generated and sent to the SSL vendor), your KEY or PEM file (PEM and KEY are interchangeable terms) and you should have a CRT and possibly a BUNDLE from your SSL vendor.

The CRT and BUNDLE file from your vendor should be obvious. Those files both start with:


If you’re not sure, leave the BUNDLE out of the equation for now. It’s not fully needed but does make things link together nicer.

Your CSR file starts with the following line:


And your KEY or PEM file starts with this:


Now that you know which file is which, you can use the following two commands to see if they match. The output of these two commands should be the same:

openssl rsa -check -noout -modulus -in /my_certificates/www_example_com.key


openssl x509 -noout -modulus -in /my_certificates/www_example_com.crt

Now let’s see what your web server needs. The following two examples show the CRT and KEY/PEM files for both Apache and NginX.


SSLCertificateFile /my_certificates/www_example_com.crt
SSLCertificateKeyFile /my_certificates/www_example_com.key


ssl_certificate /my_certificates/www_example_com.crt;
ssl_certificate_key /my_certificates/www_example_com.key;

Remember to test the new configuration before restarting the web server. NginX can be done with the following:

service nginx configtest

Leave a Reply

Your email address will not be published. Required fields are marked *