Trying to generate a pfx from crt and private key from GoDaddy using openssl fails with No certificate matches private key

I’m trying to generate a pfx file from a crt and a private key, and I keep getting No certificate matches private key.

No idea what’s going on here.
I did:

openssl pkcs12 -export -out myaudiservice.com.pfx -inkey myaudiservice.com.key -in myaudiservice.com.crt -in gd_bundle-g2-g1.crt

Which gets me:

No certificate matches private key

So, I tried deleting everything, key, crt, cert chain, and then I generated a new CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout myaudiservice.com.key -out myaudiservice.com.csr

Which generated a new key and new csr. I then uploaded the CSR to GoDaddy and requested the cert be re-keyed.

When that was done, I downloaded the new crt, and used the freshly generated key (from the openssl command used to generate the CSR), and I still get the same error.

Then, just as a sanity check I did:

mjb@bohr:~/Downloads/myaudiservice.com$ openssl x509 -noout -modulus -in myaudiservice.com.crt | openssl md5
(stdin)= 36d37e4f8f8672c127178a4a9cf32b89
mjb@bohr:~/Downloads/myaudiservice.com$ openssl rsa -noout -modulus -in myaudiservice.com.key | openssl md5
(stdin)= 36d37e4f8f8672c127178a4a9cf32b89

And they match….but I still get the:

No certificate matches private key

Help? I’m at my wit’s end here…..

>Solution :

You cannot have multiple -in arguments. It will just take the last, i.e. gd_bundle-g2-g1.crt. And no certificate in this file matches the key. Instead you should combine all certificates (and maybe even the key) into a single file and use this as argument for a single -in option.

Leave a Reply