23

I have successfully generated .p12 file but I got a message which is a follows:

C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12

Loading 'screen' into random state - done No certificate matches private key

Could anyone tell me what is this error all about?

Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:

`Invalid Public Key Security Object File

This file is invalid for use as the following: Personal Information Exchange `

Please clarify.

Thanks

Jack
  • 989
  • 3
  • 13
  • 24
  • Do I need to chose to export to BASE64 to get it to work as per the following document?http://www.markbrilman.nl/2012/07/openssl-error-no-certificate-matches-private-key-when-creating-pfx/ – Jack Oct 23 '13 at 21:43
  • Well, I did export to BASE64 but still getting the same error. Still wondering what could be the problem. The only difference is that the certificate is exported in PEM format. Source: http://www.markbrilman.nl/2012/07/openssl-error-no-certificate-matches-private-key-when-creating-pfx/ – Jack Oct 24 '13 at 19:39

5 Answers5

26

Source

OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.

  1. Create key pair : openssl genrsa -out aps_development.key 2048

  2. Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr

  3. Upload the CSR to developer portal to get the certificate aps_development.cer

  4. Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem

  5. Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12

Community
  • 1
  • 1
Ashish Patil
  • 818
  • 7
  • 15
  • 1
    This works, but as soon as I add intermediate and root with more "-in" arguments it fails with "no certificate matches private key". But I need those as well. There has to be another reason for this. – Claude Martin Dec 07 '18 at 12:29
  • 13
    I found my problem: The certificates were not in the correct order. Somehow this matters and gives you the misleading message _no certificate matches private key_. – Claude Martin Dec 07 '18 at 12:46
  • 3
    found another solution: _cat domain.crt intermediate.crt ca.crt > bundle.crt_ _openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt_ – Jo_ Jan 17 '19 at 16:53
  • 1
    Perfect, tahnksss – Sam Mar 07 '19 at 08:06
  • 7
    Correct order/command in my case was as follows: Openssl pkcs12 -export -out alwayson.pfx -inkey C:\ssl\private.key -in C:\ssl\ca_bundle.crt -in C:\ssl\certificate.crt So, intermediates and bundles before the certificate it seems. – Mikael Dyreborg Hansen Jun 12 '19 at 08:48
  • Same as Mikael Dyreborg Hansen : I needed to put intermediate CA before the certificate – JBLaf May 20 '20 at 17:39
  • 1
    Man, this makes the whole process totally simple. Does not even need a MAC to do that! awesome answer. If I could I would reward you with 500 reps. – Paulo Roberto Rosa Dec 02 '20 at 19:02
18

I also had exactly same issue. Below two commands worked like a charm.

cat domain.crt intermediate.crt ca.crt > bundle.crt 

openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
Alexandra Dudkina
  • 4,302
  • 3
  • 15
  • 27
vaibhav singhal
  • 883
  • 8
  • 9
  • +1 This is the solution that worked for me, the ones above did not. I presume it has something to do with the files being extracted from a zip file on Windows, but then running openssl from WSL (Ubuntu). – Paul Dec 23 '20 at 15:56
  • what if you dont have an intermediate certificate? will it work? – jpganz18 Jan 27 '21 at 13:54
  • this solution worked for me after downloading crt's and key from zerossl – user890332 Jul 24 '23 at 00:23
6

In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!

Happyblue
  • 129
  • 1
  • 4
0

Use these commands to compare the RSA Public-Key component of your CSR to that of the private key.

Key: openssl pkey -text_pub -in file.key -noout

CSR: openssl req -in file.csr -noout -text

These must match for 'openssl pkcs12' to create the export file.

HappyBrady
  • 1
  • 1
0

in my case the problem was solved by changing the access permissions and the special mode flags of the files (chmod 644 worked - before I didn't have 'read' permissions for the Group and Other classes)

jolyB
  • 1
  • 2