20

I have successfully generated .p12 file but I got a message which is a follows:

C:\OpenSSL-Win32\bin>openssl pkcs12 -export -inkey mykey.key -in exported.pem -out myfile.p12

Loading 'screen' into random state - done No certificate matches private key

Could anyone tell me what is this error all about?

Also, the size of the file myfile.p12 is 0KB and when I tried to open it, I got the following message in a small window with OK button:

`Invalid Public Key Security Object File

This file is invalid for use as the following: Personal Information Exchange `

Please clarify.

Thanks

Jack
  • 899
  • 3
  • 13
  • 23
  • Do I need to chose to export to BASE64 to get it to work as per the following document?http://www.markbrilman.nl/2012/07/openssl-error-no-certificate-matches-private-key-when-creating-pfx/ – Jack Oct 23 '13 at 21:43
  • Well, I did export to BASE64 but still getting the same error. Still wondering what could be the problem. The only difference is that the certificate is exported in PEM format. Source: http://www.markbrilman.nl/2012/07/openssl-error-no-certificate-matches-private-key-when-creating-pfx/ – Jack Oct 24 '13 at 19:39

3 Answers3

22

Source

OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.

  1. Create key pair : openssl genrsa -out aps_development.key 2048

  2. Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr

  3. Upload the CSR to developer portal to get the certificate aps_development.cer

  4. Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem

  5. Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12

Community
  • 1
  • 1
Ashish Patil
  • 760
  • 4
  • 14
  • 1
    This works, but as soon as I add intermediate and root with more "-in" arguments it fails with "no certificate matches private key". But I need those as well. There has to be another reason for this. – Claude Martin Dec 07 '18 at 12:29
  • 9
    I found my problem: The certificates were not in the correct order. Somehow this matters and gives you the misleading message _no certificate matches private key_. – Claude Martin Dec 07 '18 at 12:46
  • 2
    found another solution: _cat domain.crt intermediate.crt ca.crt > bundle.crt_ _openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt_ – Jo_ Jan 17 '19 at 16:53
  • 1
    Perfect, tahnksss – M.Arjmandi Mar 07 '19 at 08:06
  • 3
    Correct order/command in my case was as follows: Openssl pkcs12 -export -out alwayson.pfx -inkey C:\ssl\private.key -in C:\ssl\ca_bundle.crt -in C:\ssl\certificate.crt So, intermediates and bundles before the certificate it seems. – Mikael Dyreborg Hansen Jun 12 '19 at 08:48
  • Same as Mikael Dyreborg Hansen : I needed to put intermediate CA before the certificate – JBLaf May 20 '20 at 17:39
  • 1
    Man, this makes the whole process totally simple. Does not even need a MAC to do that! awesome answer. If I could I would reward you with 500 reps. – Paulo Roberto Rosa Dec 02 '20 at 19:02
12

I also had exactly same issue. Below two commands worked like a charm.

cat domain.crt intermediate.crt ca.crt > bundle.crt 

openssl pkcs12 -export -out cert.pfx -inkey key -in bundle.crt
Alexandra Dudkina
  • 3,926
  • 3
  • 12
  • 25
vaibhav singhal
  • 193
  • 2
  • 6
  • +1 This is the solution that worked for me, the ones above did not. I presume it has something to do with the files being extracted from a zip file on Windows, but then running openssl from WSL (Ubuntu). – Paul Dec 23 '20 at 15:56
  • what if you dont have an intermediate certificate? will it work? – jpganz18 Jan 27 '21 at 13:54
4

In my case, I'd actually specified the wrong certificate -- i.e. the certificate was for one system, and the private key for another. So the error message was spot-on!

Happyblue
  • 111
  • 3