Sometimes it can happen that you encounter errors when installing or using your certificate. This document is an overview of the different things you can check to analyze what is wrong.
From experience we can tell that most problems arise because you did not install all root and intermediate certificates, after this a missmatch between private key and certificate is the most common issue.
Certificate is not trusted
After installing your certificate you check the website and are presented with an SSL error. The certificate is not trusted!This means that you are not presented with a full chain of trust of the certificate. Please use the full root and intermediate certificates when installing the certificate, these can be found in this knowledgebase article.
You can check your installation on this website, we use it often as it has a lot of checks that can give you plenty of information about your server's security
Or use the tool from Sectigo, when you are using a comodo certificate/
Private key and certificate do not match
When installing your certificate you are presented with a warning that the private key and the certificate do not match. This means that somewhere during the requesting of the certificate or generating the CSR and the certificate being delivered your CSR got changed. This often happens when multiple CSRs are created and people lose track of which one was eventually ordered, or if an old CSR is used that does not actually belong to the certificate.
To check if your certificate and private key belong to each other you can use this command line tool on a linux machine to see how values stack up;
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5
From this you will get MD5 values. If they are all the same, then the files belong to each other.
If you get a missmatch, you will need to start a reissue for your certificate using a new CSR and Private key pair.
