[How to] check if a certificate matches its private key

Refers to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux
  • Plesk Onyx for Windows
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Windows
  • Plesk 12.0 for Linux
  • Plesk 12.5 for Windows
  • Plesk 9.x and below for Windows

Created:

2016-11-16 12:50:20 UTC

Modified:

2017-02-11 04:49:57 UTC

1

Was this article helpful?


Have more questions?

Submit a request

[How to] check if a certificate matches its private key

Symptoms

I try to upload a certificate in the control panel and get the following error:

    ERROR message: Unable to set the certificate: Incompatible private key/certificate pair.

I encounter the same problem when using .txt format.

Cause

The private key and the certificate may not match.

Resolution

To check this, you need to compare the modulus part of the private key with that of the certificate:

Copy the private key contents for domain.tld into a file (e.g., domain.tld) and check its modulus part:

    # openssl rsa -text -noout -in domain.tld -modulus | grep Modulus=
Modulus=A6ACD1BCD71FBAD9499D95B9F341F65980BFE13D5189CE9629642F7211E7F8C5CD42394A6F0047A51E4451647E367E36B69D8A42F62B995532F6331189C120AAB7D5A92D016870622D85E675A5C3D7160F820F87D5717C157D4324SDF2D39DB5E2SFSCF848D72C5C6805D604C830995FEBAAE01C058EE88F57E108034B4AC7F2BB97DB20A8D6480B422171C6E2E7550740A9A436B2FBD8EF660E80CE1808CEEBC0B7CC55E6625EA44D94600AC4EC31AF89F81A8E9870E4F760B7238A91DBFDC0805BE05B32D8CF59C0BBEA82850B0FF635DFE8CF63683C3CDAAF7F4484A97D06450760677AD5B7EEA5EEEED922D0F367FE9C43F5636A635DACB977FE250C42A1F348D85BCEEDDSFEFA343

Then check the modulus part of the certificate:

    openssl x509 -text -noout -in domain.tld.crt -modulus | grep Modulus=
Modulus=C55B529210F59C810097B854BA3816627DE68D903B85336F92E1E278B0DF31F01944FEFB7A0E7EA39D830559CBF1C40923F826FFE77C97896067F22331C5A12392C39EDE43B68BF1A68075EB238DFAD3423431123AFBF33f3DF9D1123008B52EA7C08D10D2318F32258BDD12B207F3CDB1D062765E8732DF82547245574A041ED7E49AFE828E73C3D42C614AC44475D880E4103181A4FAA3F3EA584CAD8A68707C311B93D0F5DFEF6D40106BEBEA4B14FB1B9C4ED8E91B1A12BBBD879B50689DCDFD294AC12526E2276EF63E79C114CCD7825262F2DE9BFD3642AA579725B23AAAD48F1A9E16C389BBB7E08C0F193CAEA244D107742831E3C16B6E84F4447D70F2300DCE67352B4B7B323SDFS

If the modulus parts do not match, the issue is caused by the certificate itself, which must be re-issued. You need to contact the CA that issued the certificate with the same CSR for a new certificate.

Have more questions? Submit a request
Please sign in to leave a comment.