SSL issue: The private key did not match the public key provided
Question 1
See my comment
Question 2
The first command (openssl rsa
) removes the encryption from the keyfile (if there was one). This is neccesary, because webservers usually use an unencrypted keyfile.
The only thing the second command (openssl x509
) might do is change the PEM header, but it is probably not needed that way. If you used -inform der
on the command it would convert a binary certificate to a PEM (base64+header) encoded one.
The -outform PEM
and -inform PEM
switches of your commands are useless, by the way, as this is the default behaviour of openssl
Related videos on Youtube
nsof
Updated on September 18, 2022Comments
-
nsof over 1 year
I followed the instructions outlined here by amazon.
A quick summary:
Created a private key
openssl genrsa -out my-private-key.pem 2048
Created a CSR
openssl req -sha256 -new -key my-private-key.pem -out csr.pem
Got a zip from the CA (Comodo in my case) which included
- my-site.crt
- three files representing the certificate chain.
Question 1: Running the following two commands to verify the certificate matches the private key I get different MD5 codes
openssl rsa -noout -modulus -in my-private-key.pem | openssl md5 openssl x509 -noout -modulus -in my-site.crt | openssl md5
I.e. the keys do not match. Any idea why?
Question 2: In many places I noticed that documentation asks to convert the key file to a pem file using the following command
openssl rsa -in my-private-key.pem -outform PEM > aws.private.pem
However the output file is exactly the same as the input. So why do it?
Same for the crt file I got from the CA
openssl x509 -inform PEM -in my-site.crt > aws.public.pem
Again the output file is exactly the same as the input only with different extension.
Are/Why are these two steps necessary?
Thanks
-
Julian Knight almost 9 yearsThis question may be a little to specialist for this forum. You may have better luck on either Information Security or Stack Overflow.
-
zakjan almost 9 years1) This is weird, they should match. 2) If the input file and the output format are the same (PEM in your case, another option is DER), I don't see any reason for this. Maybe those guides want to ensure that the file is valid, thus contains only one entry of the desired type.
-
jww almost 9 years@nsof - please state where you are getting the error message "The private key did not match the public key provided", and what you did to get into that state.
-
nsof almost 9 years@jww - when trying to upload to and Amazon Load Balancer. The problem is not related to them but rather to the fact that the MD5 codes are different. I have taken this with the Certificate Authority (Comodo) in my case. Perhaps something related to how I issued the CSR or something on their end.
-
Julian Knight almost 9 years@jww - I probably should have said serverfault rather than SO. SU is a site for "computer enthusiasts and power users" so openssl is not off topic which is why I didn't vote to close but the detailed & specific nature of the question means that better help is likely to be available elsewhere.
-
jww almost 9 years@nsof - Ah, OK. I seem to recall something about line endings. Also see the following on Stack Overflow: “Public key certificate and private key doesn't match” when using Godaddy issued certificate. That's an old question, and SO fielded it was because the rules were different back then. The rules are somewhat different now, and we have to move to close them.
-
mat over 7 yearsAd question 1: Have you checked, if both openssl commands return without error? Are both files really PEM encoded? Are the public keys different, if you run
openssl x509
andopenssl rsa
with a-text
switch?