Ask a Question

Advanced Search

Solution ID : SO322

Last Modified : 05/02/2018

Check which SSL Certificate matches which Private Key for Apache-SSL


Check which certificate matches which private key
Check which key matches which certificate
Check modulus
Compare modulus

Error Message


"OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch"

"Unable to configure RSA server private key"

"mod_ssl: Init: ( Unable to configure RSA server private key (OpenSSL library error follows)"


**PLEASE NOTE:  This solution is intended as a quick guide to match your public and private key; however, these procedures are only to be used as a modulus check.
You need to use the matching key and certificate files to confirm that you use the correct files in your server.
NoteUsing incorrect files will not allow to start the Apache server. Check the server logs for errors described above.
To check that the public key in your certificate matches the public portion of your private key, view both files, and compare the modulus values.
To compare the modulus of your key pair with this command:
echo "--Certificate:" && openssl x509 -noout -modulus -in certificate_file && echo "--Key:" && openssl rsa -noout -modulus -in private_key
Note: Execute the command on Linux terminal or Windows command prompt. OpenSSL full version or OpenSSL Light are required.
Where certificate_file is the path to the SSL Certificate file and private_key is the path to the Private Key file.
The command may require the Private Key password. 
  • Verify that the command has the correct path to the correct certificate_file and private_key and files.
  • Verify that you have downloaded the correct SSL Certificate:
openssl x509 -subject -dates -serial -noout -in certificate_file


Note: Where certificate_file is the path to the SSL Certificate file.
In the Subject find the section CN= that displays the Common Name. Sections: notBefore and notAfter display the validity period of your certificate.
You can access your account and download the correct certificate if necessary:
Retail clients: SO13187
Enterprise clients: SO12914

Reseller clients: SO17717

  • Search for all Private Keys on your Apache server directories and run the command testing againts the correct SSL Certificate.
    Important: If unable to find the correct Private Key, the certificate will need to be replaced.


How to replace an SSL Certificate

To replace (reissue) your certificate, select the correct channel where you ordered the certificate:


Troubleshooting 2: when the modulus are correct

  • You should also check that server configuration file to make sure that the directives are pointing to the correct private key and certificate (check the path to files)
  • Check if you have an httpd.conf and ssl.conf file or any other customized configuration file, make sure that the directives are correct.


Troubleshooting 3: other error messages

"unable to load certificate": the "openssl x509" command is pointing to an incorrect certificate_file format (ie. pointing to a Private Key or CSR file) or malformatted certificate file.

"unable to load Private Key": the "openssl rsa" command is pointing to an incorrect private_key file format (ie. pointing to a SSL Certificate, Intermediate Certificate or CSR file), malformatted Private Key file or incorrect Private Key password.

Note: Also verify that the files are saved in a plain text editor (Notepad, Vi) and that it has no trailing spaces.