howtouselinux

Fix routines:X509_check_private_key:key values mismatch in 2 Ways

Table of Contents

For SSL key values mismatch issue, it means the private key file does not match the certificate. There are two main reasons.

  • key values mismatch in private key, CSR, and certificate file.
  • certificate chain order is not correct

Error message:

Cannot load SSL private key file. Error: error: 0B080074:x509 certificate

routines:X509_check_private_key:key values mismatch.

 

What is SSL certificate

Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).

A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.

Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.

Using Openssl to check SSL certificates

How to get a SSL server Certificate

  • generate a key pair
  • use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
  • upload the request to a certificate authority
  • download the certificate and install it on our web server along with the key pair

Verifying Our Keys Match

To verify the public and private keys match, extract the public key from CSR, certificate, Key file and generate a hash output for it.

All three files should share the same public key and the same hash value.

Before we run the verification command:

  • Make sure our CSR, certificate, and Key are PEM format. If not then convert them using openssl command
  • Check hash of the public key to ensure that it matches with what is in a private key

Use the following commands to generate a hash of each file’s public key:

  • openssl pkey -pubout -in private.key | openssl sha256
  • openssl req -pubkey -in request.csr -noout | openssl sha256
  • openssl x509 -pubkey -in certificate.crt -noout | openssl sha256

Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same.

If we run into a key mismatch error, we need to do one of the following:

  • Transfer the private key from the machine used to generate the CSR to the one we are trying to install the certificate on.
  • Install the certificate on the machine with the private key.
  • Generate an entirely new key and create a new CSR on the machine that will use the certificate.

Check the certificate order

If the server certificate and the bundle have been concatenated in the wrong order, we also get this key values mismatch error.

In this case, we need to put the server certificate on top of the certificate file.

Before (which is wrong) :

cat ca_bundle.crt server_certificate.crt > bundle_chained.crt

After (which is right)

cat server_certificate.crt ca_bundle.crt > bundle_chained.crt

 

Check SSL Certificate Chain with OpenSSL Examples

The working certificate bundle file should look like below.

  • server certificate
  • intermediate certificate1
  • intermediate certificate2 if we have

—–BEGIN server CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
—–END  server CERTIFICATE—–
—–BEGIN intermediate CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
—–END intermediate CERTIFICATE—–

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

If you meet any issues with Linux, record them with Loom and send the link to us here. We will reply ASAP.

Load WordPress Sites in as fast as 37ms!