If you’re attempting to create a certificate key-pair and have received the message shown below, there is usually one common remedy:

SSL Certificate Error

Could not create certificate-key pair — This could be due to an invalid or corrupt key or certificate, or an undesired space control character in the key. Please correct and try again.

The remedy is to run your key through OpenSSL using the RSA key processing tool to change it to the traditional SSLeay compatible format. And yes, to immediately answer our critics: we do support the newer and more secure PKCS#8 key format, but every once in a while they do not pair with the certs, even if the cert/key pair is already successfully deployed somewhere. We haven’t quite determined why, yet. But we’re working on it. You can use the pkcs8 tool to try to remove a hidden space control character from the key first if you like, but this method works 100% of the time.

The OpenSSL command is:

OpenSSL rsa -in old_key_name.key -out new_key_name.key

This generates a new file that you can then upload to the UI and (hopefully) successfully pair with your Certificate. This resolves the error almost all the time, so give it a try.

MORE: For users with Linux systems, OpenSSL is often already installed making the above command easy to run. But for users on Windows systems, OpenSSL is not there by default. To use this utility, you’ll need to install it.

To get open SSL, you will need to download it from this link: http://slproweb.com/products/Win32OpenSSL.html

When at that site, if you scroll down, you’ll see quite a number of options. You’ll probably want Win32 OpenSSL v1.1.0e if you’re on a 32 bit machine (XP, Vista, Windows 7) or this one Win64 OpenSSL v1.1.0e if you are on a 64 bit machine (Windows 7×64, Windows 8).

Go ahead and download, run the installer and remember where you installed it. Default answers to the questions are just fine.

When you’re done, open up the directory where it was installed. In my case, I installed it here:


Go one step further and open the bin directory. Now take your key file and put it there in the bin directory.

Now open a Command Prompt and change to that directory by typing cd C:\openssl-win64\bin (or whatever it is to get into that bin directory).

If you type “dir” and hit enter, you should see your key file in there, along with a bunch of other stuff.

Ok, now run the command to ingest your key and spit out the newly formatted one.

OpenSSL rsa -in old_key_name.key -out new_key_name.key

Once complete, delete the prior key file (at least from the bin directory) so you’re just left with the new key. That’s the one that has been converted. Upload it to the UI and attempt to pair your cert and key again. Hopefully success!

Of course, if you don’t have success, contact us by creating a support case, we’re here to help!