>From: owner-openssl-us...@openssl.org On Behalf Of Goulet, Brian >Sent: Friday, 25 January, 2013 15:53
>I'm trying to create an SSL certificate for <snipped> >and keep getting the error "No certificate matches private key". >These are the steps I have taken: >1. Generate the private key and CSR with the command >openssl req -newkey rsa:2048 -subj "/C=XX/O=XX/OU=XX/OU=XX/OU=XX/CN=mydevice" >-keyout mykey.pem -out req.pem -nodes -config openssl.cnf >2. Sent the req.pem file in an email to the CA. The body >of the email gave region, org, device serial, contact info, etc. >3. The CA returned device.P7b, intermediate.P7b, and root.P7b >certificate files >4. Using a text editor I opened the received cert files and >copied all of their contents into a single All-certs.pem file. >They were place in the proper device/intermediate/root order with >the correct delimiters around them. correct means dashes BEGIN/END CERTIFICATE, NOT BEGIN/END PKCS7 ? It is confusing for the CA to give you files named *.p7b which are actually cert and not PKCS7, a related but different structure, when the main point of the p7b structure is that you can transmit the whole chain in a single file/PDU; but as long as the contents are actually the certs that's good, and if the x509 operation below reads without error at least one must be (a cert). And all the delimiter lines are complete lines, right? With some editors especially on Windows that's easy to get wrong. >5. Both All-certs.pem and mykey.pem files are located in >the bin folder with the openSSL executable >6. I executed the command pkcs12 -export -in All-certs.pem >-inkey mykey.pem -out All-certs.p12 -clcerts *command* pkcs12 not program openssl with *argument* pkcs12 ? Did you (or someone) nonstandardly build the commandline aka utility operations, in the apps directory, as "not MONOLITH"? Above you said "the openSSL executable" as if there is only one. Or do you have an alias or script or somesuch named pkcs12 that actually runs program openssl with argument pkcs12? -clcerts only affects pkcs12 import, it is ignored for export. Personally I wouldn't name that output file All-certs.p12, but that's just taste not an error. >7. I receive the error "No certificate matches private key" >I know that openSSL is seeing the files because I get "no such file >or directory errors" when they are not in the bin folder >I have also verified the files are a matching set by comparing their >hashes with the following commands >x509 -noout -modulus -in All-certs.pem | openssl md5 >rsa -noout -modulus -in mykey.pem | openssl md5 Again command x509 or rsa, not program openssl with that argument? But substantively you're right; the sequence you did should work. I would check a little more completely: openssl rsa -in mykey.pem -pubout -out temp1 openssl req -in req.pem -noout -pubkey -out temp2 openssl x509 -in All-certs.pem -noout -pubkey -out temp3 # or -in device.p7b which apparently isn't truly p7b *the whole* of temp1,2,3 should be identical. Assuming they match, I don't see any choice better than debugging in EVP_PKEY_cmp, and below, to see what's going wrong. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
