Openssl error “No certificate matches private key” when creating .PFX

9 Jul

I got this error trying to generate a .pfx file from a newly received certificate. The error scared me a little cause I was absolutely sure I tried to match the correct private key with the certificate.

Where it went wrong in this case was the export of the .cer file. I received a .p7b file from Verisign which contains my certificate plus the Verisign Root and Sub certs. From the .p7b file I chose to export my certificate

Now when you chose to export to DER format you will get your No Certificate Matches Private Key error. You need to chose to export to BASE64 to get it to work.

Chosing the right format will solve this problem and you can bundle your private key and public key in a .pfx file. Alternatively you can use OpenSSL to convert your DER certificate to an x509 certificate with the following command

openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

Then you can use the .pem file to create the .pfx

openssl pkcs12 -export -in cert.cer -inkey privkey.pem -out mycert.pfx

Good luck!


  • Heiko, is saying:

    Thank you! I had the same problem. Your solution works like a charm.

    Reply this message
  • Ryan, is saying:

    Worked for me too. Thank you very much.

    Reply this message
  • Adarsh, is saying:

    This solution doesn’t seem to work for me at all. Getting the same error.

    Reply this message
    • mark, is saying:

      Hi Ardash,

      Thanks for your reply. The error can ofcourse have multiple causes. The private key cannot match because of a format error like I described in this article. Or just that the private key does not correspond to the supplied public key.

      If you like I can have look at your certs if you send them to support (@) markbrilman (.) nl . But I do need both the private key and the public key. I can imagine it’s not option to send them.

      With kind regards,


      Reply this message
  • eoin, is saying:

    Hi ,

    I have the same message/error when I attempt to create a PKS files to import into IIS.
    I have export the key and signed cert and convert into PEM and run the same command that you use OpenSSL and I get this error when the CSR is signed with a Win 2008 CA but not when the CSR is signed with a Win 2012 CA.

    I have tried several attempts to figure out why, have you come across this ?

    Reply this message
  • Julio, is saying:

    It works!! Thank you!!

    Reply this message
  • Staffan, is saying:

    THANK YOU!!!!!!
    That made my week.

    Reply this message

Leave a Reply