It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.
That "someone" was me.
After looking through my files, I see what happened.
I created a self-signed certificate when I installed ISPConfig, via the ISPC interface, just to secure communications until I could acquire a proper certificate.
Then I generated the CSR for the proper certificate on the command-line (not through ISPConfig).
Fortunately, I kept all of the certificate components, and I was able to find the original CSR file and its modulus's MD5 hash matches that of the other certificate components.
So, it seems that I will need to have the new certificate reissued upon the correct CSR.
Thanks for your help in straightening this out, Till.