Problem description

After you upload an HTTPS certificate to the Anti-DDoS Pro console, Anti-DDoS Premium console, or WAF console, the message The certificate and the private key do not match. is returned.

Cause and solution

Possible cause Solution
The uploaded certificate and private key do not match in content. Check whether the MD5 values of the certificate file and the private key file are the same. If the MD5 values are different, the certificate file and the private key file are associated with different domain names.
You can run the following commands to view the MD5 values of the certificate file and private key file:
openssl x509 -noout -modulus -in <Content of the certificate file>|openssl md5 
openssl rsa -noout -modulus -in  <Content of the private key file>|openssl md5

If the uploaded certificate and private key do not match in content, we recommend that you upload the correct certificate file and private key file.

The Rivest-Shamir-Adleman (RSA) private key is in an invalid format. Generate a private key and upload the new private key.
You can run the following command to generate a new private key:
openssl rsa -in <Content of the original private key file> -out <Content of the new private key file>

Fix the certificate chain

When you purchase an SSL certificate, the certificate service provider offers you a complete certificate chain. The certificate chain includes an intermediate certificate and a domain name certificate. If no intermediate certificates are provided, we recommend that you use a tool to fix the certificate chain.

You can run the following command on your server to check the integrity of the certificate chain:
openssl s_client -connect <server ip>:443 -servername <domain name>
Variables:
  • <server ip>: Set the value to the IP address of your server.
  • <domain name>: Set the value to the domain name of the website.
Note You can run the preceding command on your server regardless of whether the website is added.
If the Certificate chain section in the returned result includes the domain name certificate and the intermediate Certificate Authority (CA) certificate, the certificate chain is complete. Section 1 shows a domain name certificate, and Section 2 shows an intermediate CA certificate. Certificate chainIf the returned result displays only the domain name certificate, the certificate chain is incomplete. In this case, we recommend that you use a tool to fix the certificate chain. For example, you can use the tool provided at myssl.com to download the complete certificate chain. Then, you can replace your certificate with the certificate chain that you downloaded.
The following figure shows the content format of the certificate file. Section 1 shows a domain name certificate, and Section 2 shows an intermediate certificate.
Notice The certificate content cannot contain spaces or carriage return characters.
Certificate file format