I have a .key file, when I do
openssl rsa -text -in file.key
Also I have a .cer file and when I do
openssl x509 -text -in file.cer
But if as pointed here I run the command like:
openssl x509 -text -inform DER -in file.cer
But that doesn’t seem to work with the key, because when I run
openssl rsa -text -inform DER -in aaa010101aaa__csd_10.key
How can I get the private key and its certificate?
4 Answers 4
It looks like you have a certificate in DER format instead of PEM . This is why it works correctly when you provide the -inform PEM command line argument (which tells openssl what input format to expect).
It’s likely that your private key is using the same encoding. It looks as if the openssl rsa command also accepts a -inform argument, so try:
A PEM encoded file is a plain-text encoding that looks something like:
While DER is a binary encoding format.
Sometimes keys are distributed in PKCS#8 format (which can be either PEM or DER encoded). Try this and see what you get:
When installing a certificate on Apache web server, you might receive an error “SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch” during restart of Apache service.
Most often, this error appears if you are using an incorrect private key along with the certificate you received from the Certificate Authority. In order for Apache to accept certificate, it should be used with the private key generated along with the CSR code submitted for the certificate activation.
You can check whether the certificate matches the private key using the following openssl commands:
openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1
The first command is applied to the certificate file, which you received from the Certificate Authority. The second one is for the private key.
Note: Make sure you indicate the correct path to the certificate and key files. You can take either relative or absolute path.Alternatively, you can check sha256 or md5 moduli of the key and certificate pair, replacing the hash function at the end of the command.
If the outputs of the commands differ (like in the screenshot above), this means that the chosen private key does not match the certificate.
You may also check whether the certificate matches the private key using this online tool. Copy the contents of the certificate and key files to the corresponding fields in the form and click “Match”. The site will show whether or not the certificate can be installed with the provided private key.
You will need to find another private key file on the server. The command below may help you:
This command will find all files on the server with .key extensions. Make sure you are logged in as root user, otherwise you may need to add sudo in front of the command.
Once the keys are found, check their moduli using the openssl rsa command listed above to locate one that matches.
If a private key with a modulus matching the certificate cannot be found, a new CSR code will need to be generated and the certificate reissued. Refer to these instructions on how to generate a new CSR code on your server and reissue the certificate.
One more possible cause of the error might refer to Apache starting from version 2.4.8. SSLCertificateChainFile directive became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file. It allows the certificate file to contain the certificate as well as intermediate certificates. It is important that the end-entity certificate issued for a domain is placed as the first certificate in this file, while intermediate certificates should be placed lower starting from the one that signs the end-entity certificate. Otherwise, you may also receive the key values mismatch error.
No certificate matches private key
I’m trying to create an SSL certificate for a Cisco Wireless LAN controller and keep getting the error “No certificate matches private key”.
These are the steps I have taken:
1. Generate the private key and CSR with the command openssl req –newkey rsa:2048 –subj “/C=XX/O=XX/OU=XX/OU=XX/OU=XX/CN=mydevice” –keyout mykey.pem –out req.pem –nodes –config openssl.cnf
2. Sent the req.pem file in an email to the CA. The body of the email gave region, org, device serial, contact info, etc.
3. The CA returned device.P7b, intermediate.P7b, and root.P7b certificate files
4. Using a text editor I opened the received cert files and copied all of their contents into a single All-certs.pem file. They were place in the proper device/intermediate/root order with the correct delimiters around them.
5. Both All-certs.pem and mykey.pem files are located in the bin folder with the openSSL executable
6. I executed the command pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 –clcerts
7. I receive the error “No certificate matches private key”
I know that openSSL is seeing the files because I get “no such file or directory errors” when they are not in the bin folder
I have also verified the files are a matching set by comparing their hashes with the following commands
x509 -noout -modulus -in All-certs.pem | openssl md5
rsa -noout -modulus -in mykey.pem | openssl md5
A small team of us have been beating our heads over this for about a week so any assistance is greatly appreciated.
Wireless Communications Engineer
Enterprise Network Engineering
Harris IT Services
298 Seavy Street, Portsmouth, NH 03804
CONFIDENTIALITY NOTICE: This email and any attachments may contain material that is "Harris Proprietary Information," confidential, privileged, and/or attorney work product for the sole use of the intended recipient. Any review, reliance, distribution, disclosure, or forwarding without expressed permission is strictly prohibited. If you are not the intended recipient, please contact sender and delete all copies without reading, printing or saving in any manner.
RE: No certificate matches private key
>From: [hidden email] On Behalf Of Goulet, Brian
>Sent: Friday, 25 January, 2013 15:53
>I’m trying to create an SSL certificate for
>and keep getting the error "No certificate matches private key".
>These are the steps I have taken:
>1. Generate the private key and CSR with the command
>openssl req -newkey rsa:2048 -subj
>-keyout mykey.pem -out req.pem -nodes -config openssl.cnf
>2. Sent the req.pem file in an email to the CA. The body
>of the email gave region, org, device serial, contact info, etc.
>3. The CA returned device.P7b, intermediate.P7b, and root.P7b
>4. Using a text editor I opened the received cert files and
>copied all of their contents into a single All-certs.pem file.
>They were place in the proper device/intermediate/root order with
>the correct delimiters around them.
correct means dashes BEGIN/END CERTIFICATE, NOT BEGIN/END PKCS7 ?
It is confusing for the CA to give you files named *.p7b which are
actually cert and not PKCS7, a related but different structure,
when the main point of the p7b structure is that you can transmit
the whole chain in a single file/PDU; but as long as the contents
are actually the certs that’s good, and if the x509 operation below
reads without error at least one must be (a cert).
And all the delimiter lines are complete lines, right? With some
editors especially on Windows that’s easy to get wrong.
>5. Both All-certs.pem and mykey.pem files are located in
>the bin folder with the openSSL executable
>6. I executed the command pkcs12 -export -in All-certs.pem
>-inkey mykey.pem -out All-certs.p12 -clcerts
*command* pkcs12 not program openssl with *argument* pkcs12 ?
Did you (or someone) nonstandardly build the commandline aka
utility operations, in the apps directory, as "not MONOLITH"?
Above you said "the openSSL executable" as if there is only one.
Or do you have an alias or script or somesuch named pkcs12 that
actually runs program openssl with argument pkcs12?
-clcerts only affects pkcs12 import, it is ignored for export.
Personally I wouldn’t name that output file All-certs.p12,
but that’s just taste not an error.
>7. I receive the error "No certificate matches private key"
>I know that openSSL is seeing the files because I get "no such file
>or directory errors" when they are not in the bin folder
>I have also verified the files are a matching set by comparing their
>hashes with the following commands
>x509 -noout -modulus -in All-certs.pem | openssl md5
>rsa -noout -modulus -in mykey.pem | openssl md5
Again command x509 or rsa, not program openssl with that argument?
But substantively you’re right; the sequence you did should work.
I would check a little more completely:
openssl rsa -in mykey.pem -pubout -out temp1
openssl req -in req.pem -noout -pubkey -out temp2
openssl x509 -in All-certs.pem -noout -pubkey -out temp3
# or -in device.p7b which apparently isn’t truly p7b
*the whole* of temp1,2,3 should be identical.
Assuming they match, I don’t see any choice better than debugging
in EVP_PKEY_cmp, and below, to see what’s going wrong.