diff --git a/src/context.c b/src/context.c
index cafc222..4d2c838 100644
--- a/src/context.c
+++ b/src/context.c
@@ -395,6 +395,17 @@ static int load_key(lua_State *L)
   return ret;
 }
 
+/**
+ * Check that the certificate public key matches the private key
+ */
+
+static int check_key(lua_State *L)
+{
+  SSL_CTX *ctx = lsec_checkcontext(L, 1);
+  lua_pushboolean(L, SSL_CTX_check_private_key(ctx));
+  return 1;
+}
+
 /**
  * Set the cipher list.
  */
@@ -564,6 +575,7 @@ static luaL_Reg funcs[] = {
   {"locations",    load_locations},
   {"loadcert",     load_cert},
   {"loadkey",      load_key},
+  {"checkkey",     check_key},
   {"setcipher",    set_cipher},
   {"setdepth",     set_depth},
   {"setdhparam",   set_dhparam},
diff --git a/src/ssl.lua b/src/ssl.lua
index 64f805b..0b465e2 100644
--- a/src/ssl.lua
+++ b/src/ssl.lua
@@ -58,8 +58,12 @@ function newcontext(cfg)
    end
    -- Load the certificate
    if cfg.certificate then
-      succ, msg = context.loadcert(ctx, cfg.certificate)
-      if not succ then return nil, msg end
+     succ, msg = context.loadcert(ctx, cfg.certificate)
+     if not succ then return nil, msg end
+     if cfg.key and context.checkkey then
+       succ = context.checkkey(ctx)
+       if not succ then return nil, "private key does not match public key" end
+     end
    end
    -- Load the CA certificates
    if cfg.cafile or cfg.capath then