Determine if private key belongs to certificate?
I'm going to assume you have ssl.crt and ssl.key in your current directory.
If you want to see what's in your certificate it's
# openssl x509 -in ssl.crt -text -noout
Two of the things in here will be the RSA public Key's Modulus and Exponent (in hex).
If you want to see what's in your private key it's
# openssl rsa -in ssl.key -text -noout
Note the public key is usually in there (at the very least the modulus is required to be in there for the private key to work, and the public exponent is usually 65537 or 3). So you can simply check if the modulus and public exponent match. Granted, if you want to check that the private key is actually valid (that is d and e are valid RSA exponents for the modulus m), you would need to run
# openssl rsa -check -in ssl.key -noout
EDIT (2018): Please note if you are checking that a private key coming from an untrusted source corresponds with a certificate, you MUST CHECK that the private key is valid. See here for an example where not checking the validity of a "leaked" private key lead to a CA improperly revoking a certificate. You may skip this step if you know you validly generated the keypair.
Now you can simply generate the public key from both the certificate and the private key and then use diff
to check that they don't differ:
# openssl x509 -in ssl.crt -pubkey -noout > from_crt.pub
# openssl rsa -in ssl.key -pubout > from_key.pub
# diff from_crt.pub from_key.pub
Or as a one liner that doesn't create files (using process substitution):
# diff <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)
If the keys match, diff shouldn't return anything. (You probably will see "writing RSA key" output to stderr from the second command).
Note your webserver probably would loudly complain if the certificate and private key didn't match. E.g., with nginx using the wrong key (same size, same public exponent, but last year's key) for the certificate nginx is using:
# sudo /etc/init.d/nginx restart
* Restarting nginx nginx
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/private/wrong_key.key") failed
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
The accepted answer is correct, but it only works for RSA keys.
At least since openssl 1.1.1 it is possible to test validity of all types of private keys and here's a one-liner that works for all sorts of keys that openssl supports
cmp <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -check -pubout -in private-key.pem -outform PEM)
It will return 'true' if and only if the private key matches the public key in the certificate.