diff --git a/certbot/crypto_util.py b/certbot/crypto_util.py
index e22effeb7..2c9dad8bf 100644
--- a/certbot/crypto_util.py
+++ b/certbot/crypto_util.py
@@ -214,7 +214,7 @@ def verify_renewable_cert(renewable_cert):
     """
     verify_renewable_cert_sig(renewable_cert)
     verify_fullchain(renewable_cert)
-    verify_cert_matches_priv_key(renewable_cert)
+    verify_cert_matches_priv_key(renewable_cert.cert, renewable_cert.privkey)
 
 
 def verify_renewable_cert_sig(renewable_cert):
@@ -238,17 +238,18 @@ def verify_renewable_cert_sig(renewable_cert):
         raise errors.Error(error_str)
 
 
-def verify_cert_matches_priv_key(renewable_cert):
+def verify_cert_matches_priv_key(cert_path, key_path):
     """ Verifies that the private key and cert match.
 
-    :param `.storage.RenewableCert` renewable_cert: cert to verify
+    :param str cert_path: path to a cert in PEM format
+    :param str key_path: path to a private key file
 
     :raises errors.Error: If they don't match.
     """
     try:
-        with open(renewable_cert.cert) as cert:
+        with open(cert_path) as cert:
             cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert.read())
-        with open(renewable_cert.privkey) as privkey:
+        with open(key_path) as privkey:
             privkey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, privkey.read())
         context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
         context.use_privatekey(privkey)
@@ -257,8 +258,8 @@ def verify_cert_matches_priv_key(renewable_cert):
     except (IOError, OpenSSL.SSL.Error) as e:
         error_str = "verifying the cert located at {0} matches the \
                 private key located at {1} has failed. \
-                Details: {2}".format(renewable_cert.cert,
-                        renewable_cert.privkey, e)
+                Details: {2}".format(cert_path,
+                        key_path, e)
         logger.exception(error_str)
         raise errors.Error(error_str)
 
diff --git a/certbot/main.py b/certbot/main.py
index f7421d75e..c055b9ba9 100644
--- a/certbot/main.py
+++ b/certbot/main.py
@@ -562,6 +562,7 @@ def revoke(config, unused_plugins):  # TODO: coop with renewal config
     if config.key_path is not None:  # revocation by cert key
         logger.debug("Revoking %s using cert key %s",
                      config.cert_path[0], config.key_path[0])
+        crypto_util.verify_cert_matches_priv_key(config.cert_path[0], config.key_path[1])
         key = jose.JWK.load(config.key_path[1])
     else:  # revocation by account key
         logger.debug("Revoking %s using Account Key", config.cert_path[0])
diff --git a/certbot/tests/crypto_util_test.py b/certbot/tests/crypto_util_test.py
index 729b09dc1..cb9077208 100644
--- a/certbot/tests/crypto_util_test.py
+++ b/certbot/tests/crypto_util_test.py
@@ -252,7 +252,7 @@ class VerifyCertMatchesPrivKeyTest(VerifyCertSetup):
 
     def _call(self, renewable_cert):
         from certbot.crypto_util import verify_cert_matches_priv_key
-        return verify_cert_matches_priv_key(renewable_cert)
+        return verify_cert_matches_priv_key(renewable_cert.cert, renewable_cert.privkey)
 
     def test_cert_priv_key_match(self):
         self.assertEqual(None, self._call(self.renewable_cert))