Certificate, Key & CSR Matcher
Compare the public keys inside certificates, CSRs, and keys without uploading them
Certificates, CSRs, public keys, and unencrypted private keys can wrap the same public key in different structures. This matcher extracts each public key, converts it to canonical SubjectPublicKeyInfo (SPKI) DER, and compares the bytes directly. It also reports a SHA-256 fingerprint so you can compare the same public key in another tool. Formatting, PEM line breaks, subjects, serial numbers, and filenames are not used as proof of a match.
- Match: Both inputs contain the same canonical public key.
- Mismatch: The canonical public keys differ, even if the names or PEM labels look similar.
- Unsupported: At least one input could not be safely parsed or normalized.
- CSR self-signature: The request verifies against its embedded key; this is not CA approval.
OpenSSL can produce the same kind of SHA-256 comparison from canonical public-key DER:
# Certificate
openssl x509 -in certificate.pem -pubkey -noout \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256
# CSR
openssl req -in request.csr -pubkey -noout \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256
# Private key (may prompt if encrypted)
openssl pkey -in private-key.pem -pubout -outform DER \
| openssl dgst -sha256Does a key match prove the certificate is valid?
No. It proves only that the normalized public keys are equal. Trust, expiry, revocation, hostname coverage, and chain validation are separate checks.
Does a CSR name difference mean the key is wrong?
No. Requested and issued names can differ while the CSR and certificate still contain the same public key.
Can I compare an encrypted private key?
No. This version does not request passphrases or decrypt private-key containers. Use OpenSSL locally when a passphrase is required.
Are my inputs uploaded or added to the URL?
No. Comparison stays in the browser, and the page does not persist inputs in query parameters or links.