Sorry to resurrect the thread here, Till.
So, I had to renew the SSL certificate for a domain.
Before sending the CSR off to the CSA, I ensured that the CSR contents in ISPConfig matched the contents on the filesystem (in /var/www/example.com/ssl/example.com.csr
). Both values matched, so I requested the new certificate with that old/existing CSR (per the previous discussion in this thread).
When the new certificate came back, I attempted to follow your instructions and paste only the new .crt contents into ISPConfig's "SSL Certificate" field. When I clicked "Save Certificate", Apache refused to restart with:
[Thu Nov 08 10:44:06 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:06 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Nov 08 10:44:08 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So, I did some research and used the commands outlined at https://www.sslshopper.com/certificate-key-matcher.html
to perform comparisons against the various certificate components.
Here is the output of the various commands against the old/existing/working certificate
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
Is the last hash, for the CSR, supposed to match the hash for the certificate and the key? In other words, does the above output indicate that this CSR was not
in fact used to generate the certificate? This seems to be the case, because I pasted the new certificate into the site's ssl
directory, alongside the other files, and hashed its modulus:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.new.crt | openssl md5
So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?