Ask a Question

Error: ''OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch''

Error Message

Error:

"OpenSSL:error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch"

"Unable to configure RSA server private key"

"mod_ssl: Init: (www.thawte.com:443) Unable to configure RSA server private key (OpenSSL library error follows)"

Cause

This error message occurs if you are using the incorrect certificate or private key during installation.

Solution

**PLEASE NOTE:  This solution is intended as a quick guide to match your public and private key; however, these procedures are only to be used as a modulus check.

You need to use the matching key and certificate files to confirm that you use the correct files in your server.
NoteUsing incorrect files will not allow to start the Apache server. Check the server logs for errors described above.
 
To check that the public key in your certificate matches the public portion of your private key, view both files, and compare the modulus values.
 
To compare the modulus of your key pair:
 
echo "--Certificate:" && openssl x509 -noout -modulus -in certificate_file && echo "--Key:" && openssl rsa -noout -modulus -in private_key
 
Where certificate_file is the path to the SSL Certificate file and private_key is the path to the Private Key file.
The result of SSL Certificate and Private Key modulus must match exactly to indicate that is the correct key pair.
 
Note: The command may require the Private Key password. OpenSSL full version or OpenSSL Light are required.
 
When the modulus are different:
  • Verify that the command has the correct path to the correct certificate_file and private_key and files.
     
  • Verify that you have downloaded the correct SSL Certificate: 
    openssl x509 -subject -dates -noout -in certificate_file

    Note: 
    In the Subject find the section CN= that displays the Common Name. Sections: notBefore and notAfter display the validity period of your certificate.
    You can access your account and download the correct certificate if necessary:
    Retail clients: SO13187
    Enterprise clients: SO12914

    Reseller clients: SO17717
     
  • Search for all Private Keys on your Apache server directories and run the command testing againts the correct SSL Certificate.
    Important: If unable to find the correct Private Key, the certificate will need to be replaced.

To replace (reissue) your certificate, select the correct channel where you ordered the certificate:

 

When the modulus are correct:

  • You should also check that server configuration file to make sure that the directives are pointing to the correct private key and certificate (check the path to files)
     
  • Check if you have an httpd.conf and ssl.conf file or any other customized configuration file, make sure that the directives are correct.

 

Other error messages:

"unable to load certificate": the "openssl x509" command is pointing to an incorrect certificate_file format (ie. pointing to a Private Key or CSR file) or malformatted certificate file.

"unable to load Private Key": the "openssl rsa" command is pointing to an incorrect private_key file format (ie. pointing to a SSL Certificate, Intermediate Certificate or CSR file), malformatted Private Key file or incorrect Private Key password.

Note: Also verify that the files are saved in a plain text editor (Notepad, Vi) and that it has no trailing spaces.