Combining key and certificate into a pkcs12 file


I am using keytool to manage my keystore file. Since it does not provide an import functionality for private keys I need to first combine the private key together with the certificate in a pkcs12 file. I am using openssl to do this. However, this fails with the following message: “No certificate matches private key”. Based on my Internet research it must have to do with the encoding of the certificate. Openssl works with base64 encoded certificates. But it seems that the certificates are base64 encoded. Now I would be glad for some hints.
By the way, it would be a nice feature to get a pkcs12 file directly together with the private key and certificate.


You should be able to run

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

which will prompt you for a password for your pkcs12 file


I just tried it out but get the same message: “No certificate matches private key”.
I’m pretty sure that certificate and private key match since they are in use for an Apache Server.


Hello @thkeller,

With the command provided by @serverco you should be able to export your cert and key to pkcs12 format, if you still get the message “No certificate matches private key” is because the key that you are using was not used to issue the cert so double check the right path to the correct files (usually it should be /etc/letsencrypt/live/yourdomain.tld/).

openssl pkcs12 -export -out /tmp/certificate.pfx -inkey /etc/letsencrypt/live/yourdomain.tld/privkey.pem -in /etc/letsencrypt/live/yourdomain.tld/cert.pem -certfile /etc/letsencrypt/live/yourdomain.tld/chain.pem

Change yourdomain.tld by your actual domain name.

If you want to check whether the privkey signed your cert use these commands:

openssl x509 -noout -modulus -in /etc/letsencrypt/live/yourdomain.tld/cert.pem | openssl md5

openssl rsa -noout -modulus -in /etc/letsencrypt/live/yourdomain.tld/privkey.pem | openssl md5

Of course, again, change yourdomain.tld by your domain name. The output of both commands should be exactly the same.

If you still have problems paste the exact commands you are using to export your key and cert to pkcs12 and the output of ls -l /path/where/your/keyandcert/are/located/



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.