"Public key certificate and private key doesn't match" when using Godaddy issued certificate

ssl amazon-ec2 openssl ssl-certificate
Felby picture Felby · Jul 19, 2011 · Viewed 75.6k times · Source

I'm trying to install a GoDaddy SSL certificate on a new load balancer I'm setting up on Amazon AWS. I originally created the certificate at Godaddy using the keytool program for direct installation on a Glassfish 3.1 server (Amazon linux ami). I had no problems getting that setup directly on the server. I now need to move the certificate from the web server to the new load balancer. Amazon requires the private key and certs to be in PEM format, so I used the "rekey" tool at GoDaddy to create new certs. When I load those in the load balancer setup screen on AWS Mgmt Console, I get the error message: "Public Key Certificate and Private Key doesn't match."

Here is how I'm creating the keys:

$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr

I then submit the .csr file to GoDaddy during the "rekey" process. Once the rekey is complete, I download the 2 newly created certs (apps.mydomain.com.crt & gd_bundle.crt). I download them selecting (Apache) as the type of server (I've also tried "other" and "Cpanel" but the all look to be the same).

At this point, I remove the encryption from the private.key file by using the following command: 

$ openssl rsa -in private.key -out private.pem

At this point, I go back into the AWS Mgmt console, create the load balancer, add the secure server redirect and put the contents of the following files in the respective fields on the screen where it asks to setup the ssl certificate:

private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain

When I click the "continue button" I get the error "Error: Public Key Certificate and Private Key doesn't match."

-Is there a way that I can test that I'm getting a valid error message from Amazon? It seems odd to me that the keys wouldn't match when I'm following GoDaddy's instructions pretty closely.

I've tried creating the private.key file without RSA encryption prior to creating the .csr and that doesn't seem to make any difference.

I'm also assuming that the .crt files I'm downloading from GoDaddy are in .PEM format, but I'm not sure how to verify this.

Any ideas?

Answer

Jonathon Hill picture Jonathon Hill · Jan 18, 2013

For me, it was an easy two-step:

  1. Convert the private key to PEM:

    openssl rsa -in yourdomain.key -outform PEM

  2. Convert the certificate and certificate bundle to PEM:

    openssl x509 -inform PEM -in yourdomain.crt

    openssl x509 -inform PEM -in bundle.crt

Related questions

SSL installed on Apache2 but HTTPS not working

I recently installed an SSL certificate on my Amazon EC2 Ubuntu 12.04(32bit) server running Apache 2. When I attempt to access my site via https, it does not load. When I perform an nmap scan, i see that port 443 is not …

Read More
How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service

AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore. They are providing certificates for …

Read More
HTTPS not working (on AWS Elastic Beanstalk based site)

The site works perfectly fine on HTTP, however, does not work on HTTPS. I've followed all the steps on this page to create a self-signed certificate and add it to my Elastic Beanstalk environment. http://docs.aws.amazon.com/elasticbeanstalk/…

Read More