Symptoms
When trying to install a Certificate-Key Pair (certificate and private key) on a NetScaler appliance, the following error message appears:
“Certificate and private key do not match”
Cause
The private key is not the same file used to create the certificate signing request for that particular certificate.
Resolution
Verify the modulus of the private key, certificate request, and Certificate, and validate if the files are truly a match by issuing the following CLI commands:
Certificate:
openssl x509 -in certfile_name -noout –modulus
openssl x509 -in certfile_name -noout –modulus
Private Key:
openssl rsa -in key_file_name -noout -modulus
openssl rsa -in key_file_name -noout -modulus
Certificate Signing Request:
openssl req -in csr_file_name -noout -modulus
openssl req -in csr_file_name -noout -modulus
Sample Output of matching files:
*Certificate*
root@ns# openssl x509 -in example.com.cer -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
*Private Key*
root@ns# openssl rsa -in example.com.key -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
*Certificate Signing Request*
root@ns# openssl req -in example.com.csr -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF2
62C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B2
72B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327
Notice how the Modulus field is a perfect match on the three files.
To resolve this issue, attempt the installation of the Certificate-Key Pair using matching private key and certificate files.
If the private key is no longer accessible, generate a new private key and certificate signing request files on the NetScaler and request a new certificated from your Certificate Authority.
Post a Comment