Attempting to import a third party signed TLS certificate results in the error "No stored certificate request matches this certificate."
This message is returned when a certificate import file cannot be matched to either an existing certificate signing request (CSR), or an existing certificate in the database. This can be due to:
WARNING: All files below are examples; do not use them. Please use your own CSR and certificate.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBzDCCATUCAQAwgYsxJDAiBgkqhkiG9w0BCQEWFWZZZZZZZZ9saXBza2lAbW9u
...
DhhzSV7ijERdjOVGvnnl09tnZLnQLNtQ9CF3bKfqnqo=
-----END NEW CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQS1wGA8JSt8ZZZZZZZZZZZZZZZZZZhkiG9w0BAQUFADCB
...
193dM9rv3ACKUxtVPG4ZrrzTURrUFmFL02OirejhmO63yUHBm7GwQXQBBc2Ne7RQ
WNcaWUo+PVfA5C2Q5g==
-----END CERTIFICATE-----
openssl req -text -noout -verify -in cert.csr
openssl x509 -in cert.pem -text -noout
The import file should include two sections:
Visually, the import file should have data and section boundaries that appear as follows
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQS1wGA8JSt8ZZZZZZZZZZZZZZZZZZhkiG9w0BAQUFADCB
...
W1Rck95aVbu24A4kXk5qDqD1z+u9zSWX6DIX/wbJhAM6DVxoziIO4ES+A/bOWy+A
193dM9rv3ACKUxtVPG4ZrrzTURrUFmFL02OirejhmO63yUHBm7GwQXQBBc2Ne7RQ
WNcaWUo+PVfA5C2Q5g==
-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----
FSmHIRHsy1B1wkaXV3bAhRgRN0/RyshmG1CxSpmAx7VIp3HIGtNdi7BzMeUI+GjV
...
ywZ1IOnfmIk38QwzmvtyjQ8btvUWVTmZ8yEaVbf/nIdQLtoWCXrhKLbj9rHd
-----END RSA PRIVATE KEY-----
An encrypted private key has the following key boundaries:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
If the private key is encrypted you will need to use openssl to remove the password and encryption from the private key. You will be prompted for the private key password set when it was generated:
openssl rsa --in encrypted.key --out rsa.key
Search keywords: Certificate Authority, Certificate, Import, Failed