How to Verify if an SSL Certificate Matches its Private Key

June 12, 2013 / SSL
ssl-certificates

Applicable For the Following Parallels Plesk Panel:

* Plesk Panel 11. x for Linux
* Plesk Panel 10. x for Linux
* Plesk Panel 9. x for Linux/Unix

Warning Signs

If you try to upload an SSL certificate in the Plesk control panel and get the following error message:

ERROR message: Unable to set the certificate: Incompatible private key/certificate pair.

Same problem when using .txt format.

Reason
The issue caused by the fact that the private key and the SSL certificate do not match.

Problem-Solving

To figure out this problem, you must evaluate the modulus part of the private key and the SSL certificate.

Copy the private key content of your domain name into a file (e.g. abc.com) and check its modulus part:

For Example:

# openssl rsa -text -noout -in abc.com -modulus | grep Modulus=
Modulus=A6ACD1BCD71FBAD9499D95B9F341F65980BFE13D5189CE9629642F7211E7F8C5CD42394A6F0047A51E4451647E367E36B69D8A42F62B995532F63311
A89C120AAB7D5A92D016870622D85E675A5C3D7160F820F87D5717C157D4324SDF2D39DB5E2SFSCF848D72C5C6805D604C830995FEBAAE01C058EE88F57E108034B4A
C7F2BB97DB20A8D6480B422171C6E2E7550740A9A436B2FBD8EF660E80CE1808CEEBC0B7CC55E6625EA44D94600AC4EC31AF89F81A8E9870E4F760B723
8A91DBFDC0805BE05B32D8CF59C0BBEA82850B0FF635DFE8CF63683C3CDAAF7F4484A97D06450760677AD5B7EEA5EEEED922D0F367FE9C43F5636A63
5DACB977FE250C42A1F348D85BCEEDDSFEFA343

Now you need to check the modulus part of the certificate:

# openssl x509 -text -noout -in abc.com.crt -modulus | grep Modulus=
Modulus=C55B529210F59C810097B854BA3816627DE68D903B85336F92E1E278B0DF31F01944FEFB7A0E7EA39D830559CBF1C40923F826FFE77C97896067F223
31C5A12392C39EDE43B68BF1A68075EB238DFAD3423431123AFBF33f3DF9D1123008B52EA7C08D10D2318F32258BDD12B207F3CDB1D062765E8732DF82547245574A041ED7
E49AFE828E73C3D42C614AC44475D880E4103181A4FAA3F3EA584CAD8A68707C311B93D0F5DFEF6D40106BEBEA4B14FB1B9C4ED8E91B1A12BBBD879B
50689DCDFD294AC12526E2276EF63E79C114CCD7825262F2DE9BFD3642AA579725B23AAAD48F1A9E16C389BBB7E08C0F193CAEA244D107742831E3C1
6B6E84F4447D70F2300DCE67352B4B7B323SDFS

If the modulus parts do not match, then the issue caused by the certificate itself. That means it has to be re-issued.

Solution

You need to contact CA ( Certificate Authority ) that issued the certificate with the same CSR (SSL Certificate Signing Request) for a new certificate.