91

I'm trying to install a GoDaddy SSL certificate on a new load balancer I'm setting up on Amazon AWS. I originally created the certificate at Godaddy using the keytool program for direct installation on a Glassfish 3.1 server (Amazon linux ami). I had no problems getting that setup directly on the server. I now need to move the certificate from the web server to the new load balancer. Amazon requires the private key and certs to be in PEM format, so I used the "rekey" tool at GoDaddy to create new certs. When I load those in the load balancer setup screen on AWS Mgmt Console, I get the error message: "Public Key Certificate and Private Key doesn't match."

Here is how I'm creating the keys:

$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr

I then submit the .csr file to GoDaddy during the "rekey" process. Once the rekey is complete, I download the 2 newly created certs (apps.mydomain.com.crt & gd_bundle.crt). I download them selecting (Apache) as the type of server (I've also tried "other" and "Cpanel" but the all look to be the same).

At this point, I remove the encryption from the private.key file by using the following command: 

$ openssl rsa -in private.key -out private.pem

At this point, I go back into the AWS Mgmt console, create the load balancer, add the secure server redirect and put the contents of the following files in the respective fields on the screen where it asks to setup the ssl certificate:

private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain

When I click the "continue button" I get the error "Error: Public Key Certificate and Private Key doesn't match."

-Is there a way that I can test that I'm getting a valid error message from Amazon? It seems odd to me that the keys wouldn't match when I'm following GoDaddy's instructions pretty closely.

I've tried creating the private.key file without RSA encryption prior to creating the .csr and that doesn't seem to make any difference.

I'm also assuming that the .crt files I'm downloading from GoDaddy are in .PEM format, but I'm not sure how to verify this.

Any ideas?

Promise Preston
  • 24,334
  • 12
  • 145
  • 143
Felby
  • 4,045
  • 4
  • 26
  • 23
  • 2
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Jun 01 '15 at 22:08

6 Answers6

66

For me, it was an easy two-step:

  1. Convert the private key to PEM:

    openssl rsa -in yourdomain.key -outform PEM

  2. Convert the certificate and certificate bundle to PEM:

    openssl x509 -inform PEM -in yourdomain.crt

    openssl x509 -inform PEM -in bundle.crt

Jonathon Hill
  • 3,445
  • 1
  • 33
  • 31
  • 2
    This particular answer really helped me. Thanks Jonathan. For the record, yourdomain.crt is the public key, the certificate that you got from your provider, (could be a .cer too) – user_v Jun 11 '13 at 14:47
  • i keep getting an error `WARNING: can't open config file: /etc/pki/tls/openssl.cnf` – t q Mar 25 '14 at 00:51
  • 2
    @tq - some OpenSSL commands take a `-config` option, too. Use it to specify the path to the config file you are using. – jww Jun 01 '15 at 02:38
  • @felby Should mark this one as the accepted answer. This is the only answer that does not create an SSL trust issue with iOS devices. – Noel Baron Jul 11 '15 at 11:26
  • This answer really helpful with wildcard SSL. You have to convert both domain.crt and gd_bundle.crt file. – Ducle Apr 07 '16 at 13:04
44

Just for the record and anyone else who is trying to figure it out:

yourdomain.key -> terminal command: sudo openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem -> private key

yourdomain.crt -> public key

gd_bundle.crt -> certificate chain

and you're good to go :)

Chris J
  • 1,527
  • 14
  • 19
  • 2
    OMG, I lost so many hours with problem, you just saved me! I purchased a RapidSSL certificate: the trick was to 1) convert the private key like you suggest here and 2) reverse the order of the certificates in the certificate chain provided by RapidSSL. Thanks! – MiniQuark Jan 19 '14 at 23:36
  • keeps asking me for a password but my rapidssl cert was made without one – t q Mar 24 '14 at 18:42
  • The sudo command will ask for an admin password, unless your account is set up to not require a password via a few different methods. Is that the password you're referring too? – Chris J Mar 26 '14 at 00:00
  • To add something where it may get found by someone who needs it, we got a Host Gator certificate from a client, and it seemed fairly nicely set up - no pem conversions, and the CA bundle was already concatenated together. However, wouldn't go into Amazon. It was the same thing with the order of certs in the bundle. By reversing the order, it went in and worked. – CargoMeister Mar 20 '15 at 16:48
24

Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box on a Windows 7 desktop; copy and pasting the values from a gedit screen into the browser running on the Windows box. Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host. Case closed.

Felby
  • 4,045
  • 4
  • 26
  • 23
7

We found an alternate solution to this problem. We were having the same symptoms with the same error.

Then we tried reentering the pem codes one more time, but this time we made sure to hit enter one time and make sure the cursor was on a blank line at the end of each window. Then we saved it. IT WORKED.

This solved our problem, so it might solve it for others.

PlateSpinner
  • 71
  • 1
  • 1
1

One little gotcha. I'm using a Windows box (Win 7 Pro) and when I used the windows port of OpenSSL, the outputted files had Unix style end-of-line characters (LF).

I had to convert the file to Windows style (CRLF) for the uploading of the private key.

Christopher Stevenson
  • 2,843
  • 20
  • 25
0

I can suggest you with an alternative solution and an information to you folks. Generally all certificates are of PEM file format. You can just open a notepad or any text editor and drag the files which you received in .crt file format. Which is normally called as .PEM file.If the certificate loaded in your keytool you can export the certificate as a pfx file from keytool. Then you can separate the pfx file from the private key from the pfx file. Because the pfx file is the combination of your certificate and the private key.So you can get separately the private key file and use it on your amazon aws.

I suspect there may be another way to install the certificate. May be you can contact the certificate authority and is there any way to get your certificate to be reissued.

Rajan
  • 1
  • 1