diff --git a/src/ssl.c b/src/ssl.c
index be021bad2..6b1ea17f5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -42326,7 +42326,7 @@ err:
 
         /* If s is numerical value, try to sum oid */
         ret = EncodePolicyOID(out, &outSz, s, NULL);
-        if (ret == 0) {
+        if (ret == 0 && outSz > 0) {
             /* If numerical encode succeeded then just
              * create object from that because sums are
              * not unique and can cause confusion. */
@@ -42448,15 +42448,49 @@ err:
 
 #ifdef OPENSSL_EXTRA
 
-#ifndef NO_WOLFSSL_STUB
     int wolfSSL_X509_check_private_key(WOLFSSL_X509 *x509, WOLFSSL_EVP_PKEY *key)
     {
-        (void) x509;
-        (void) key;
-        WOLFSSL_ENTER("wolfSSL_X509_check_private_key");
-        WOLFSSL_STUB("X509_check_private_key");
+        DecodedCert dc;
+        byte* der;
+        int derSz;
+        int ret;
 
-        return WOLFSSL_SUCCESS;
+        WOLFSSL_ENTER("wolfSSL_X509_check_private_key");
+
+        if (!x509 || !key) {
+            WOLFSSL_MSG("Bad parameter");
+            return WOLFSSL_FAILURE;
+        }
+
+        der = (byte*)wolfSSL_X509_get_der(x509, &derSz);
+        if (der == NULL) {
+            WOLFSSL_MSG("wolfSSL_X509_get_der error");
+            return WOLFSSL_FAILURE;
+        }
+
+        InitDecodedCert(&dc, der, derSz, x509->heap);
+
+        if (ParseCertRelative(&dc, CERT_TYPE, NO_VERIFY, NULL) != 0) {
+            FreeDecodedCert(&dc);
+            return WOLFSSL_FAILURE;
+        }
+
+        der = (byte*)key->pkey.ptr;
+        derSz = key->pkey_sz;
+        ret = wc_CheckPrivateKey(der, derSz, &dc);
+        FreeDecodedCert(&dc);
+        return ret == 1 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
+    }
+
+#ifndef NO_WOLFSSL_STUB
+    WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(
+        WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk)
+    {
+        (void) sk;
+        WOLFSSL_ENTER("wolfSSL_dup_CA_list");
+        WOLFSSL_STUB("SSL_dup_CA_list");
+
+        return NULL;
     }
 #endif
 
diff --git a/tests/api.c b/tests/api.c
index 0b0b40b9b..513a1a1ad 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -25924,6 +25924,38 @@ static void test_wolfSSL_certs(void)
 #endif /* OPENSSL_EXTRA && !NO_CERTS */
 }
 
+static void test_wolfSSL_X509_check_private_key(void)
+{
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) && \
+        defined(USE_CERT_BUFFERS_2048)
+    X509*  x509;
+    EVP_PKEY* pkey;
+    const byte* key;
+
+    printf(testingFmt, "wolfSSL_X509_check_private_key()");
+
+    /* Check with correct key */
+    AssertNotNull((x509 = X509_load_certificate_file(cliCertFile,
+                                                     SSL_FILETYPE_PEM)));
+    key = client_key_der_2048;
+    AssertNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey,
+                &key, (long)sizeof_client_key_der_2048));
+    AssertIntEQ(X509_check_private_key(x509, pkey), 1);
+    EVP_PKEY_free(pkey);
+
+    /* Check with wrong key */
+    key = server_key_der_2048;
+    AssertNotNull(d2i_PrivateKey(EVP_PKEY_RSA, &pkey,
+                &key, (long)sizeof_server_key_der_2048));
+    AssertIntEQ(X509_check_private_key(x509, pkey), 0);
+    EVP_PKEY_free(pkey);
+
+
+    X509_free(x509);
+    printf(resultFmt, passed);
+#endif
+}
+
 
 static void test_wolfSSL_ASN1_TIME_print(void)
 {
@@ -39558,6 +39590,7 @@ void ApiTest(void)
     test_wolfSSL_X509_check_host();
     test_wolfSSL_DES();
     test_wolfSSL_certs();
+    test_wolfSSL_X509_check_private_key();
     test_wolfSSL_ASN1_TIME_print();
     test_wolfSSL_ASN1_UTCTIME_print();
     test_wolfSSL_ASN1_GENERALIZEDTIME_free();