Verify your SSL key values match

Yesterday afternoon I helped a colleague solve a problem that occurred while replacing an SSL certificate. Apache refused to restart and displayed this error report:

SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

This error appears if you are using an incorrect private key along with the certificate you received from the Certificate Authority. What was troubling me was that Apache refused to restart. It seemed to me that an invalid SSL certificate shouldn't stop the server from coming up. Unfortunately it does.

If you find yourself faced with this situation you have two options: keep all sites offline while you obtain a valid certificate, or get your sites up and running immediately.

The quickest way to get your sites back online is to comment out the SSL requirements for the affected domain in your hosts file. This means HTTPS connections for that domain will not work, but it gets all of your web sites running immediately. It also gives you breathing space to find and resolve the problems with your SSL certificate.

In order for Apache to accept a certificate, it should be used with the private key generated along with the CSR code submitted for the certificate activation. In our case, several older keys had been stored in the same folder and it was obvious that the wrong one was in use. But which was the correct key to use?

You can check whether the certificate matches the private key using the following openssl commands:

openssl x509 -in /path/to/certificate.crt -noout -modulus | openssl sha1
openssl rsa -in /path/to/private.key -noout -modulus | openssl sha1

The first command is applied to the certificate file, which you received from the Certificate Authority. The second one is for the private key.

Run these commands against the CRT and KEY files. Each of the commands will print a long string. If the strings match, then the CRT and KEY files match.

Note: Make sure you indicate the correct path to the certificate and key files. You can take either relative or absolute path. Alternatively, you can check sha256 or md5 moduli of the key and certificate pair, replacing the hash function at the end of the command.