For SSL key values mismatch issue, there are two main reasons.
Error message about X509_check_private_key:key values mismatch
root@s17925268:~# service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file(“/etc/nginx/conf.d/ssl/ssl.key”) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
Failed to load private key from ./envoy/test/extensions/transport_sockets/tls/test_data/san_dns2_key.pem, Cause: error:0b000074:X.509 certificate routines:OPENSSL_internal:KEY_VALUES_MISMATCH
Thu Jul 28 17:55:12 2016 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Cannot load SSL private key file. Error: error: 0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch.
- key values mismatch in private key, CSR, and certificate file.
- certificate chain order is not correct
Verifying Our Keys Match
To verify the public and private keys match, extract the public key from CSR, certificate, Key file and generate a hash output for it.
All three files should share the same public key and the same hash value.
Before we run the verification command:
- Make sure our CSR, certificate, and Key are PEM format. If not then convert them using openssl command
- Check hash of the public key to ensure that it matches with what is in a private key
Use the following commands to generate a hash of each file’s public key:
- openssl pkey -pubout -in private.key | openssl sha256
- openssl req -pubkey -in request.csr -noout | openssl sha256
- openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same.
If we run into a key mismatch error, we need to do one of the following:
- Transfer the private key from the machine used to generate the CSR to the one we are trying to install the certificate on.
- Install the certificate on the machine with the private key.
- Generate an entirely new key and create a new CSR on the machine that will use the certificate.
Check the certificate order
If the server certificate and the bundle have been concatenated in the wrong order, we also get this key values mismatch error.
In this case, we need to put the server certificate on top of the certificate file.
Before (which is wrong) :
cat ca_bundle.crt server_certificate.crt > bundle_chained.crt
After (which is right)
cat server_certificate.crt ca_bundle.crt > bundle_chained.crt
The working certificate bundle file should look like below.
- server certificate
- intermediate certificate1
- intermediate certificate2 if we have
—–BEGIN CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
—–END CERTIFICATE—–
Reference: