Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi
in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt
.
If each line ends with a control-M, like this
-----BEGIN CERTIFICATE-----^M
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM^M
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg^M
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x^M
you've got a file in Windows line-terminated format, and apache doesn't love those.
Your options include moving the file over again, taking more care; or using the dos2unix
command to strip those out; you can also remove them inside vi, if you're careful.
Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.
the error is simple, your private key file you are using is not actually the one used to generate the CSR for your ssl certificate, you should locate the correct key file and reference that one in your apache ssl vhost
this is the basics of how ssl works and how ssl validation works. You create your key, but rather than providing it to a certificate provider to generate and sign an ssl which would be unsecure, you generate a csr which generates enough data to allow the ssl company to sign a certificate for you. therefore if you dont use this same private key with your actual ssl certificate it will fail because they dont match up to each other
where did you generate your csr for the ssl certificate? its probably likely that the key is somewhere there too
provide some more info about your system and i can advise better where to look
Best Answer
Compare the modulus of the files.
Check the public key like this:
And check the private keys like this:
Compare the "modulus" data (a big block of numbers) between the certificate and the potentially matching keys. If they match, then the key and certificate are a pair.