Error: "Certificate and private key do not match" while Installing Certificate-Key Pair on NetScaler

Error: "Certificate and private key do not match" while Installing Certificate-Key Pair on NetScaler

book

Article ID: CTX127090

calendar_today

Updated On:

Description

When trying to install a Certificate-Key Pair (certificate and private key) on NetScaler, the following error message appears:
“Certificate and private key do not match”

User-added image

 

Resolution

Requirement:
Working installation of OpenSSL.OpenSSL can be downloaded from https://www.openssl.org/source/.NetScaler Configuration Utility also has an option to use OpenSSL interface.
User-added image
OpenSSL commands can be run from the shell prompt of NetScaler as well.

Verify the modulus of the private key, certificate request, and Certificate, and validate if the files are matching by issuing the following commands from NetScaler Shell prompt.

> shell

Copyright (c) 1992-2013 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

    The Regents of the University of California. All rights reserved.

 

root@NSMPX#

Certificate:
openssl x509 -in certfile_name -noout –modulus
certfile_name should include location of certificate file name.
So the exact command will be 
root@ns# openssl x509 -in /nsconfig/ssl/example.com.cert -noput -modulus 
/nsconfig/ssl is the location where ssl files are uploaded/located on the Appliance.

Private Key:
openssl rsa -in key_file_name -noout -modulus
Sample command from the Shell prompt of NetScaler:
root@ns# openssl rsa -in /nsconfig/ssl/example.com.key -noout -modulus

Certificate Signing Request:
openssl req -in csr_file_name -noout -modulus
Sample command from the Shell prompt of NetScaler:

root@ns# openssl req -in /nsconfig/ssl/example.com.csr -noout -modulus

Sample Output of matching files

*Certificate*
root@ns# openssl x509 -in example.com.cer -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF262C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B272B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

*Private Key*
root@ns# openssl rsa -in example.com.key -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF262C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B272B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

*Certificate Signing Request*
root@ns# openssl req -in example.com.csr -noout -modulus
Modulus=E7EDAE4410AA3EDDEF02175A84E4BE362AA255054C727767464594C45B7BC5A12544AABD74DE7B56E28727009B1539C5E597AA2EB3BE3ED33705166CF5CF463EF262C7AD114297300FD3E12803AFB11798C2191E17E7E65F7F53C68C9DC9B267688F36B272B5B26C30C212A0A87AF2C036EBA3C658114E787DAB6DC421DB5327

Notice how the Modulus field is perfect match on the three files.

To resolve this issue, attempt the installation of the Certificate-Key Pair with the matching private key and certificate files.

User-added image

If the private key is no longer accessible, generate a new private key and certificate signing request files on the NetScaler and request a new certificated from your Certificate Authority.

 

Problem Cause

The private key is not the same file used to create the certificate signing request for that particular certificate.

 

Issue/Introduction

When trying to install a Certificate-Key Pair (certificate and private key) on a NetScaler appliance, the error message "Certificate and private key do not match" is displayed.
Powered by Wolken Software