Unable to configure RSA server private key” and “certificate routines:X509_check_private_key:key values mismatch” Errors

“Unable to configure RSA server private key” and “certificate routines:X509_check_private_key:key values mismatch” Errors

If you see one of these errors it usually means that the private key that is being loaded in the VirtualHost section of your .conf file doesn’t match the SSL Certificate being loaded in the same section.

To check if the two files match, run the following OpenSSL command on each of them:

openssl x509 -noout -modulus -in your_domain_com.crt | openssl md5openssl rsa -noout -modulus -in your_domain_com.key | openssl md5

 

If the modulus of the two files doesn’t match exactly, do one of the following:

  1. Find the .key file matching your .crt file and update the VirtualHost in your .conf file to match.
  2. Reissue your certificate by either generating two new files with the OpenSSL CSR Wizard or by creating a new CSR from your existing private key file using the following command.

    Note that the existing private key must be at least 2048 bits. If the key is less than 2048 bits you will have to recreate the key.

openssl req -new -key your_domain_com.key -out your_domain_com.csr

 

ssl cert on Verio servers

(Apache v2.X)

  1. Download the appropriate GlobalSign root certificate and save it in a text editor as “gs_root.pem.” Only the ExtendedSSL certificate uses the GlobalSign root CA R2 certificate.
  2. Download the appropriate intermediate certificate(s) and save it in a text editor as “intermediate.pem”.
  3. Copy your SSL certificate from the order fulfillment e-mail or log into your GlobalSign Certificate Center account and download it. Paste it into a text editor. Save the file as “mydomain.crt.”
  4. Copy “mydomain.crt” and “intermediate.pem” to the directory in which you plan to store your certificates.
  5. Open your “httpd.conf” file with a text editor. Please note that some installations keep the SSL section separately in the “ssl.conf” file. Locate the the virtual host section for the site that the SSL certificate will secure.​Your virtual host section will need to contain the following directives:
    • SSLCACertificateFile – This will need to point to the appropriate GlobalSign root CA certificate.
    • SSLCertificateChainFile – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above.
    • SSLCertificateFile – This will need to point to the end entity certificate. This is the certificate you have called “mydomain.crt.”
    • SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.
  6. Save the changes to the file. Quit the text editor.
  7. Restart Apache.

(creating CSR)

  1. Make sure OpenSSL is installed and in your PATH.
  2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):$ openssl genrsa -des3 -out server.key 2048

    Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

    $ openssl rsa -noout -text -in server.key

    Unless you want to enter the password each time you start apache, you will need a decrypted PEM version for later:

    $ openssl rsa -in server.key -out server.key.unsecure

  3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):$ openssl req -new -key server.key -out server.csr

Warning: the CA certificate does not sign the certificate.

When installing an SSL certificate in Parallels Panel (Plesk) along with an intermediate certificate you receive the error message

Warning: the CA certificate does not sign the certificate.

Generally it is safe to ignore this error. It is just Parallels Panel not being able to follow the complete CA root path. However, I have found that if you append the intermediate certificate to the CA certificate (instead of putting it in the intermediate certificate box), you do not get the error.

Here is the intermediate and root DomainSSL cert for globalsign:

—–BEGIN CERTIFICATE—–
MIIFQjCCBCqgAwIBAgISESFxABpzduLKxXYRi0KcPsx3MA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTQwOTI5MTU1OTQxWhcNMTUwOTMwMTU1OTQxWjBKMQswCQYDVQQGEwJV
UzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDEw9p
bnRvdGhld2luZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZ
4nwCxV+6qWgZONNxGyMNjdIbEzO+EaGG4TlhYBzsn6h3yDCtat18tWXIQ25J+l03
zSJS2CbfMR7yFr1iKlrNHtdkmvHSOi3fC/FlIjmsJYbP5IQTSF7UoLLt21Vs6T8x
ix/sH6u2rs8aGyfPBbduY607v0r8yqcIJ4j1WczNcsvpixXG9mPKSCEmOQB4QppO
mc7OaIR6UUXunzQFrccZYUP978hzGzgZHXQNSELgkHELNJwYJi7+CJ1KJSqNeOw/
j8B5h+GbhhPrdvOr8NPwjQ3k+3YxevpVBSOFIPrYC8Wz0SLqHcuiI41I7t2lIU8o
bKQfhHvSpF521KQH79BVAgMBAAGjggIKMIICBjAOBgNVHQ8BAf8EBAMCBaAwSQYD
VR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wYwYDVR0RBFwwWoIPaW50b3RoZXdpbmQu
Y29tghNvd2EuaW50b3RoZXdpbmQuY29tghRtYWlsLmludG90aGV3aW5kLmNvbYIc
YXV0b2Rpc2NvdmVyLmludG90aGV3aW5kLmNvbTAJBgNVHRMEAjAAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
Y3JsLmdsb2JhbHNpZ24uY29tL2dzL2dzZG9tYWludmFsc2hhMmcyLmNybDCBlAYI
KwYBBQUHAQEEgYcwgYQwRwYIKwYBBQUHMAKGO2h0dHA6Ly9zZWN1cmUuZ2xvYmFs
c2lnbi5jb20vY2FjZXJ0L2dzZG9tYWludmFsc2hhMmcycjEuY3J0MDkGCCsGAQUF
BzABhi1odHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nkb21haW52YWxzaGEy
ZzIwHQYDVR0OBBYEFPfk8s6E7BRobX+cTK8Ao/9z86IHMB8GA1UdIwQYMBaAFOpO
fNSALeUVgYYmjIJtwJikz5cPMA0GCSqGSIb3DQEBCwUAA4IBAQB9Fyabi4Ju+RU4
sWKcfZ6TnSj4dS/nZbKJtD9m2vSt55MVb/gpJMiz1Ytoi1ftj6jUvWiciIMcKNTT
OnpopipBgqvi5QbtcsPvT4cWw0xjxCqqZNPYvduKcHcZm2wFy7xargrn0keNP30+
gTMWBRVUVNECkqExv8tMG27MeVXPNzgz8pGk+qibR0Ysv/IBiqvdA3DGrPxTmuYS
b/lw6n4Ya/BwHcXhzOh63/d+CD+6cg/HWYt88gyycWfzOjtF65lRL1BUCYgsQLRP
ieHEnyzicLW+sWJhtvMgAkxwKpCOswb1puVxuD5QPUedIjVG+u1HtjrK+uQ1MclL
heUZjPom
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIEXDCCA0SgAwIBAgILBAAAAAABMYnGQlgwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTEwODAyMTAwMDAwWhcNMjIwODAy
MTAwMDAwWjBgMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z
YTE2MDQGA1UEAxMtR2xvYmFsU2lnbiBEb21haW4gVmFsaWRhdGlvbiBDQSAtIFNI
QTI1NiAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqd3MDrPi
MjndSSKoE2mTh4jhDO5xfb2Qh5ZdWfLMs9JYV1f5Ru9sJtg2Qo5+MLMvmj5Tex9u
tqJMRR880xWTHIntPPRX3sq97AaaaiqgGVJ/UdF0OQifq+vXhhMVl642w1RmDlry
oHOFMeOyZBRq/6WijiS7vYVSFaJ57vC17j249H2AvNmQNWW4F6mts5ifoH59bvs/
rXzCG1k2lto3MktLXTUCY47bp89i7swu1I3JvTxqkXKiIqdyLSDR+so32hiY5hYk
cSVLxOV7iVIJAv1ZKwRuygeB1LPa2tvjzICoVgcGfJYIN53bOLZiNJFiB3QBONhy
MOLrkHEmYsBX8wIDAQABo4IBKTCCASUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHQYDVR0OBBYEFOpOfNSALeUVgYYmjIJtwJikz5cPMEcGA1Ud
IARAMD4wPAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxz
aWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js
Lmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMD4GCCsGAQUFBwEBBDIwMDAuBggr
BgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3RyMzAfBgNV
HSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA
asQTEbudYOYIgMIwjjpyB5oIB0XIrKrD85MGzbyWwKt7IzfBYFPvJPpKhbGSET9Y
Z3RAFBWwLNQme7DAeGM3MedBUDL/h2VtRi9mFsJ3cjffjB2ynXz79WmNDEGDBeXD
CDhdCaUwUQzemQAYJFATZ9U956HDXbA92Ho3wqPeCzxXJmuY/hfAUdEL8BdEK71i
gPIuTWgRjCLvlHt4p7WbguowPW2xYzOsZvok9lOdICfAXHRETYzo2yBAhQDmbSaf
dzhT8XdnuiJ3yEW84eLFJqSi6NDOgmdMyXg/4ntqs5XUwfpSfUQaAuXxScCedcp3
IAITFUgbBl1wm7duUhuklQ==
—–END CERTIFICATE—–