Certificate installation on Apache webserver at times triggers the error message “Certificate routines:X509_check_private_key:key values mismatch”.

This usually happens during an Apache service restart.

As a part of our Server Management Services, we help our Customers to fix SSL related errors regularly.

Let us today discuss the possible causes and fixes for this error.

What causes “certificate routines:X509_check_private_key:key values mismatch” error?

As discussed earlier, restart of the Apache service while installing a certificate on the webserver at times yield a key values mismatch error. A typical error message looks like the one below:

[Fri Mar 07 14:59:57 2014] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

The most common reason for this error include

1. Private key mismatch during the restart of the Apache service.
2. Improper order of concatenation of the certificates

Private key mismatch

A major reason for this error is the usage of an incorrect private key along with the certificate received from the Certificate Authority. In reality, it implies that the private key in the VirtualHost section of the .conf file didn’t match the SSL Certificate in the same section.

For the webserver to accept a certificate, we should use the same private key along with the CSR code given for the certificate activation.

We can check whether the certificate matches the private key using the following OpenSSL commands:

openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1

Replace the file names in the commands with the exact one for the certificate and private key. The first command applies to the certificate file from the Certificate Authority. The second one is for the private key.

If the outputs of the commands differ, this means that the chosen private key does not match the certificate.

Thus we will need to find another private key file on the server. The command below  will help us with it:

find / -name “*.key”

This command will find all files on the server with .key extensions. Once the keys are found, check their moduli using the OpenSSL rsa command listed above to locate one that matches.

If a private key with a modulus matching the certificate cannot be found, we need to generate a new CSR code and reissue the certificate.

Sometimes, we can fix the issue by creating a new CSR from the existing private key file. The command for this operation is:

openssl req -new -key your_domain_com.key -out your_domain_com.csr

 Improper order of concatenation of the certificates

Prior to Apache version 2.4.8, SSLCertificateFile was extended to load intermediate CA certificates from the server certificate file as well. It allowed the certificate file to contain the certificate as well as intermediate certificates.

Thus, it is important to place the end-entity certificate for a domain as the first certificate in this file, while intermediate certificates should be placed lower starting from the one that signs the end-entity certificate. Otherwise,it triggers the key values mismatch error.

This order correct order should be as follows: end-entity certificate (your_domain.crt) -> first intermediate -> second intermediate -> root.

[Need any further assistance in fixing SSL errors? – We’re available 24*7]

Conclusion

In short, “Certificate routines:X509_check_private_key:key values mismatch” triggers during SSL certificate installation. Today, we saw how our Support Engineers fix this error.