SSL install problem - "key value mismatch" (but they do match?)

I also came across the same error. In my case I had to supply additional CA certificates in the verification chain. And instead of supplying the certificate and the key in separate files, I combined them in a .pem file.

However, when you do this, the order of the key and the certificate plus the intermediate one(s) is important. The correct order:

your private keyyour certificate(intermediate) CA certificate lowest in the hierarchyother CA certificates higher in the hierarchy...(intermediate) CA certificate highest in the hierarchy

I had the same issue on one of my CentOS 6.5 servers recently and it was down to when I generated the KEY and CSR.

I have three sites running on this server in virtualhosts all with dedicated IPs and each site has its own SSL Certificate.

In a rush, when changing one of the certificates, I stupidly just followed the certificate provider's guide to gaining the CSR and installing it in Apache, and I was instructed to use the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout domain-name-here.key -out domain-name-here.csr

After installing the new certificate I was then also facing Apache not starting and the same errors in /var/log/httpd/ssl_error_log:

[error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch[error] Unable to configure RSA server private key

Now what I really should have done was check my .bash_history files, as I have successfully done this in CentOS many times before.

I should have run these two commands instead :

openssl genrsa -des3 -out domain-name-here.co.uk.key 2048openssl req -new -key domain-name-here.co.uk.key -out domain-name-here.co.uk.csr

This then successfully generated the CSR and KEY, and I re-applied for the certificate using the newly gained CSR, then applied the new certificate and added the new key file and finally then Apache would start cleanly.

Also, just to note, after a little configuration we now score A+ in an SSL labs test.

When reissuing my Rapid SSL certificate (purchased through Namecheap) to deal with the Heartbeat bug, the new certificate was always issued against the private key used for the previous CSR request. After about the fifth reissue, pairing that with the private key used in the fourth reissue attempt made things work fine.