How to Tell if a TLS Cert and Key Match

I've lost track how many times someone has come wandering up to me with a bunch of private keys and a cert and thrown it all at me saying “I dunno which key was used!”. The slow way to figure that out is to put them into your web server config and see if it starts. The easier way is to use openssl. Assuming the certificate is in $CERTFILE and the key is in $KEYFILE, these two openssl commands will extract the modulus out of each:
$ openssl x509 -noout -modulus -in $CERTFILE | openssl md5

$ openssl rsa -noout -modulus -in $KEYFILE | openssl md5
If the moduluses (moduli?) match, then you can be pretty sure that is the key that goes with this cert.