How to verify if an SSL certificate matches its private key

ssl-certificates

Applicable For Following Parallels Plesk Panel:

* Plesk Panel 11. x for Linux
* Plesk Panel 10. x for Linux
* Plesk Panel 9. x for Linux/Unix

Warning Signs

If you try to upload an SSL certificate in the Plesk control panel and get the following error message:

ERROR message: Unable to set the certificate: Incompatible private key/certificate pair.

Same problem when using .txt format.

Reason
The issue may be caused by the fact that private key and the SSL certificate do not match.

Problem-Solving

To figure out this problem, you need to evaluate the modulus part of the private key and the SSL certificate.

Copy the private key content of your domain name into file (e.g. abc.com) and check its modulus part:

For Example:

# openssl rsa -text -noout -in abc.com -modulus | grep Modulus=
Modulus=A6ACD1BCD71FBAD9499D95B9F341F65980BFE13D5189CE9629642F7211E7F8C5CD42394A6F0047A51E4451647E367E36B69D8A42F62B995532F63311
A89C120AAB7D5A92D016870622D85E675A5C3D7160F820F87D5717C157D4324SDF2D39DB5E2SFSCF848D72C5C6805D604C830995FEBAAE01C058EE88F57E108034B4A
C7F2BB97DB20A8D6480B422171C6E2E7550740A9A436B2FBD8EF660E80CE1808CEEBC0B7CC55E6625EA44D94600AC4EC31AF89F81A8E9870E4F760B723
8A91DBFDC0805BE05B32D8CF59C0BBEA82850B0FF635DFE8CF63683C3CDAAF7F4484A97D06450760677AD5B7EEA5EEEED922D0F367FE9C43F5636A63
5DACB977FE250C42A1F348D85BCEEDDSFEFA343

Now you need to check the modulus part of the certificate:

# openssl x509 -text -noout -in abc.com.crt -modulus | grep Modulus=
Modulus=C55B529210F59C810097B854BA3816627DE68D903B85336F92E1E278B0DF31F01944FEFB7A0E7EA39D830559CBF1C40923F826FFE77C97896067F223
31C5A12392C39EDE43B68BF1A68075EB238DFAD3423431123AFBF33f3DF9D1123008B52EA7C08D10D2318F32258BDD12B207F3CDB1D062765E8732DF82547245574A041ED7
E49AFE828E73C3D42C614AC44475D880E4103181A4FAA3F3EA584CAD8A68707C311B93D0F5DFEF6D40106BEBEA4B14FB1B9C4ED8E91B1A12BBBD879B
50689DCDFD294AC12526E2276EF63E79C114CCD7825262F2DE9BFD3642AA579725B23AAAD48F1A9E16C389BBB7E08C0F193CAEA244D107742831E3C1
6B6E84F4447D70F2300DCE67352B4B7B323SDFS

If the modulus parts do not match, then the issue is caused by the certificate itself. That means it has to be re-issued.

Solution

 

You need to contact CA ( Certificate Authority ) that issued the certificate with the same CSR (SSL Certificate Signing Request) for a new certificate.

About Paul Lopez

Paul Lopez, a technology writer and sales & marketing executive at bodHOST.com, a cloud & dedicated server hosting company based in New Jersey.
This entry was posted in FAQs and tagged . Bookmark the permalink.