1) Commands to verify a server private key matches the certificate:
openssl x509 -noout -modulus -in <certificateFile> | openssl md5
openssl rsa -noout -modulus -in <server privateKey> | openssl md5
The resulting numbers must match. If not they do not belong to each other.
2) You can also verify a certificate signing request matches the certificate and/or private key:
openssl req -noout -modulus -in <certificateSigningRequestFile> | openssl md5
The resulting number would need to match the output(s) in step 1)