Private Key doesn't Match Certificate

Question

I'm having some weird issues with generating CSRs and certificates from them which I don't fully understand.

Here's what I've done:

Generate private key and CSR (done on Ubuntu on WSL if that's of any significance)

openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

Uploaded that to CA and got back a certificate beginning with -----BEGIN CERTIFICATE----- which would indicate a PEM-encoded certificate, right?

Tried combining all of this into a PFX for ease of use

openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.cer

It then asks for the private key and then throws the error No certificate matches private key

Some people suggested reencoding the certificate from DER to PEM, but that just throws an error indicating the certificate is already X509

sudo openssl x509 -inform DER -outform PEM -in CERTIFICATE.cer -out CERTIFICATE.pem
unable to load certificate
140390322082240:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140390322082240:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509

The following command generates quite sensible output, so the certificate seems to be alright to some extent

openssl x509 -in CERTIFICATE.cer -text -noout

The CA is Telia if this is of any use to anybody. I have had some issues in the past with them, for example Digicert's Certificate Utility doesn't recognize their certificates as valid for some reason (but that might of course be cause by me using the wrong file extension or something).

Answer 1

这个问题是由于 Telia 用户界面中的续订过程造成的，它允许您在续订期间上传新的 CSR，但它实际上忽略了这一点并使用旧的 CSR 而不告诉您。