7

I am trying to reinstall SSL on a domain where the previous certificate expired. I have removed the old certificate and I am attempting to install the new certificate I purchased from NameCheap in Web Host Manager per these instructions: http://wiki.spry.com/Installing_an_SSL_Certificate_in_WHM. My problem is whenever I am at Step 9, installing the SSL certificate I WHM tells me my private key and certificate do not match. I have attempted to recreate the CSR and certificate from a new private key multiple times all with the same result.

I don't know if this is relevant but if I use the self signed certificate WHM generated instead of the certificate I purchased the private key and certificate do match. Any ideas why the private key and certificate aren't matching?

alan
  • 71
  • 1
  • 1
  • 2
  • I frequently use namecheap certs (the comodo one) and when installing the certificate have an error come up. However, after looking at the certificate store, find the new certificate correctly available. Have you verified that it is indeed not available after restarting IIS? – EricG Jan 02 '14 at 19:35

3 Answers3

2

WHM attempts to find the appropriate private key to match the domain.

However, if multiple CSRs or private keys are installed for the domain, the system may not identify the correct private key.

To correct this, you can manually paste the correct private key into the boxes when installing.

You can find the various private keys on the server using the SSL Cert/Private Key manager link in WHM.

jeffatrackaid
  • 4,112
  • 18
  • 22
  • Thanks for your reply, I have been manually pasting the private key in which is what brings up the do not match error. – alan Jan 02 '14 at 19:53
  • You likely have the wrong private key for the cert. I've seen this happen a few times. See if you can get your SSL cert re-issued for free. If so, go into WHM and remove (make backups if you want) all SSL certs/CSRs/keys for the domain. Then generate a new CSR. This way there will only be one key on the server and WHM should get the match right. – jeffatrackaid Jan 02 '14 at 20:40
  • I have attempted to reissue the SSL certificate and reinstall the SSL certificate multiple times with the same result. I have also deleted all previous certificates in WHM for the domain. Is it possible that the details I enter to generate the CSR and the details I entered when I bought the certificate not matching could cause the Private Key to not match? – alan Jan 02 '14 at 21:21
  • You should delete everything in WHM and then generate a new CSR. Then send this new CSR to your cert provider. This way the only private key in WHM would have to match the CSR you used. I suspect something is just getting mixed up along the way. – jeffatrackaid Jan 02 '14 at 21:25
  • 1
    The problem turned out to be the SSL organisation, address, etc. I provided to my registrar did not precisely match the information I used in WHM to generate the private key. Thanks for the help. – alan Jan 03 '14 at 05:25
  • @alan you should post this last comment as the answer. – toomanyairmiles Nov 11 '16 at 13:12
0

Try

openssl x509 -req -in server.csr -signkey server.key -out server.crt

taken from How to convert .csr to .cer (or whatever usable on Windows).

to get the crt file from a csr. By this, the error

CA certificate and CA private key do not match

disappeared.

Another error popped up afterwards, therefore, no guarantee that this helps, see Reach TimescaleDB with Hasura API: "CA certificate and CA private key do not match" when using self-signed server certificate / private key.

questionto42standswithUkraine
  • 239
  • 1
  • 17
0

if the private key does not match you have to Reissue the certificate to generate a new private key and reinstall the certificate.

jeadbox
  • 1