Attempting to import a third party signed TLS certificate results in the error "No stored certificate request matches this certificate."

This message is returned when a certificate import file cannot be matched to either an existing certificate signing request (CSR), or an existing certificate in the database. This can be due to:

• The certificate file of the wrong format (e.g. pk7 formatted rather than the required x509 format)
• A failure to include both the certificate and matching a private key in the import file
• A wildcard certificate with no associated CSR or private key in the SMG Control Center.
• The import file contains an encrypted private key

Ensuring that the Signed Certificate Matches the Certificate Signing Request

WARNING: All files below are examples; do not use them. Please use your own CSR and certificate.

1. 1. Ensure you have the actual CSR file from the appliance. You can only see it when creating the request, and must be saved locally after creation.
      Example CSR:
      
      -----BEGIN NEW CERTIFICATE REQUEST-----
MIIBzDCCATUCAQAwgYsxJDAiBgkqhkiG9w0BCQEWFWZZZZZZZZ9saXBza2lAbW9u
...
DhhzSV7ijERdjOVGvnnl09tnZLnQLNtQ9CF3bKfqnqo=
-----END NEW CERTIFICATE REQUEST-----
       
   2. Ensure you have the certificate file generated by the CA from the CSR in step 1:
      Example x509/PEM certificate:
      -----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQS1wGA8JSt8ZZZZZZZZZZZZZZZZZZhkiG9w0BAQUFADCB
...
193dM9rv3ACKUxtVPG4ZrrzTURrUFmFL02OirejhmO63yUHBm7GwQXQBBc2Ne7RQ
WNcaWUo+PVfA5C2Q5g==
-----END CERTIFICATE-----
       
   3. Use the following openssl command to the display contents of CSR, where "cert.csr" is your CSR file:
      
      openssl req -text -noout -verify -in cert.csr
       
   4. Use the following openssl command to display contents of the certificate, where cert.pem is your certificate file:
      
      openssl x509 -in cert.pem -text -noout
       
   5. Compare the sections called "Modulus" and "Expotent" in both the CSR and certificate file; they should be identical. If not, this may mean that the certificate has been created from a different CSR.
   6. Review the "Subject" section in both the CSR and certificate. Verify the information matches.

Ensuring that the Import File Includes Both Certificate and Key

The import file should include two sections: 

• • The base64 encoded certificate data
  • The base64 encoded RSA private key data

Visually, the import file should have data and section boundaries that appear as follows

-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQS1wGA8JSt8ZZZZZZZZZZZZZZZZZZhkiG9w0BAQUFADCB
...
W1Rck95aVbu24A4kXk5qDqD1z+u9zSWX6DIX/wbJhAM6DVxoziIO4ES+A/bOWy+A
193dM9rv3ACKUxtVPG4ZrrzTURrUFmFL02OirejhmO63yUHBm7GwQXQBBc2Ne7RQ
WNcaWUo+PVfA5C2Q5g==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
FSmHIRHsy1B1wkaXV3bAhRgRN0/RyshmG1CxSpmAx7VIp3HIGtNdi7BzMeUI+GjV
...
ywZ1IOnfmIk38QwzmvtyjQ8btvUWVTmZ8yEaVbf/nIdQLtoWCXrhKLbj9rHd
-----END RSA PRIVATE KEY-----

Ensuring that the Private Key is not Encrypted

An encrypted private key has the following key boundaries:

-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

If the private key is encrypted you will need to use openssl to remove the password and encryption from the private key. You will be prompted for the private key password set when it was generated:

openssl rsa --in encrypted.key --out rsa.key

• Install certificates without a generated Certificate Signing Request
• OpenSSL homepage

Search keywords: Certificate Authority, Certificate, Import, Failed