Encrypt Online
Theme
Privacy Tool inputs are processed in your browser and are not sent to us.

Certificate, Key & CSR Matcher

Compare the public keys inside certificates, CSRs, and keys without uploading them

Safety note: Comparison runs only in your browser. Private-key inputs are masked from analytics and never echoed in results; only derived public-key metadata is shown. Encrypted private keys are not accepted in this version.
Compare two or three PKI inputsInspect single blocks or PEM bundles, select the material you mean, and compare canonical SPKI bytes
Paste one complete PEM block or a PEM bundle per slot. Encrypted private keys are not handled here.
What the Matcher Compares

Certificates, CSRs, public keys, and unencrypted private keys can wrap the same public key in different structures. This matcher extracts each public key, converts it to canonical SubjectPublicKeyInfo (SPKI) DER, and compares the bytes directly. It also reports a SHA-256 fingerprint so you can compare the same public key in another tool. Formatting, PEM line breaks, subjects, serial numbers, and filenames are not used as proof of a match.

How to Read the Result
  • Match: Both inputs contain the same canonical public key.
  • Mismatch: The canonical public keys differ, even if the names or PEM labels look similar.
  • Unsupported: At least one input could not be safely parsed or normalized.
  • CSR self-signature: The request verifies against its embedded key; this is not CA approval.
OpenSSL Comparison Commands

OpenSSL can produce the same kind of SHA-256 comparison from canonical public-key DER:

# Certificate
openssl x509 -in certificate.pem -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl dgst -sha256

# CSR
openssl req -in request.csr -pubkey -noout \
  | openssl pkey -pubin -outform DER \
  | openssl dgst -sha256

# Private key (may prompt if encrypted)
openssl pkey -in private-key.pem -pubout -outform DER \
  | openssl dgst -sha256
FAQ
Does a key match prove the certificate is valid?

No. It proves only that the normalized public keys are equal. Trust, expiry, revocation, hostname coverage, and chain validation are separate checks.

Does a CSR name difference mean the key is wrong?

No. Requested and issued names can differ while the CSR and certificate still contain the same public key.

Can I compare an encrypted private key?

No. This version does not request passphrases or decrypt private-key containers. Use OpenSSL locally when a passphrase is required.

Are my inputs uploaded or added to the URL?

No. Comparison stays in the browser, and the page does not persist inputs in query parameters or links.