How to confirm that the modulus in your private key matches the modulus in your SSL/TLS certificate’s public key prior to installation?

Solution ID:    SO16899    Updated:    07/20/2017

Solution

The server certificate, private key and CSR all contain a Modulus value.  This value must match, otherwise there will be an error.  If you are receiving a key mismatch error, the cause may be that the server certificate is attempting to be used with a private key that is not the private key used to generate the CSR that issued the server certificate.  Please use the commands below to diagnose a key mismatch.

Note:  You may want to open two windows so that you can view the moduli at the same time.


To view the certificate Modulus:

openssl x509 -noout -modulus -in [certificate-file.crt]



To view the key Modulus:

openssl rsa -noout -modulus -in [key-file.key]

The modulus of the private key and the certificate must match exactly.  If they do not match please locate the matching private key.  If the matching private key can not be located, you can generate a new private key & CSR and reissue the certificate.

 

How to use the "FC" File Comparison tool in Windows to compare the moduli values.

The modulus value can be outputed to text files and use FC to check for differences.  This will make a mismatch easy to locate.

  1. Execute the command below in the Command Prompt to export the Modulus of the server certificate into a text file.

    openssl x509 -noout -modulus -in [your-certificate.cer] > [cert-output-file.txt]


     
  2. Execute the command below in the Command Prompt to export the Modulus of the private key into a text file.

    openssl x509 -noout -modulus -in [private.key] > [key-output-file.txt]


  3. Execute the command below to compare the files

    fc [cert-output-file.txt] [key-output-file.txt]

    Key match:
    FC will state no differences encountered.  If you receive this message, the server certificate & private key match.



    Key Mismatch:
    If the server certificate and private key do not match, fc will display output similar to below.  This is displaying the differences in the files, confirming a key mismatch.

 

Legacy ID

vs2786

Contact Support

US Support:

Order Processing

Technical Support

European Support:

Order Processing

Technical Support

SSL digital certificates sales live chat.

Find Answers


Search Tips