Unable to update DLB certificates with error "Public Key does not match Private key"

SYMPTOM

When DLB certificates are about to expire (or) expired already, they needs to be updated. So when customer trying to update DLB certificates from the Runtime Manager -> Load Balancers console, it was failed with the "Public Key does not match Private key" error in console. 

CAUSE

1. Private Key and Public Key are not matching

As the public key & private key's  modulus value does not match, updating of DLB certificates failed. 
Modulus of the public key in certificate, private key and the CSR are identical. Output of the below OpenSSL commands should be identical if the private Key, CST and public key matches each other.

Use the following openSSL commands to verify the match

openssl x509 -noout -modulus -in certificate.crt | openssl md5
(stdin)= 867199ee45499af610eea3df81fb16l5

openssl rsa -noout -modulus -in privateKey.key | openssl md5
(stdin)= 867199ee45499af610eea3df81fb16l5

openssl req -noout -modulus -in CSR.csr | openssl md5
(stdin)= 867199ee45499af610eea3df81fb16l5

The output values should match (e.g. "867199ee45499af610eea3df81fb16l5") 

2. The Private Key being used is corrupted

Some times even the hash value of the Private Key and Public Key matches, you may still see the error message. One of the possible reason is the Private key is not valid/corrupted. One of the quick way to check if the Private key being used is still valid, use below openssl commands. Each command will check the Private key with algorithm rsa/ec/dsa and return the results as OK/Invalid/Not-of-this-type.  For example, if the Private Key is generated using RSA signature algorithm, then you will see the message "RSA key OK" for 1st command. 

1. openssl rsa -in {privatekey_file.pem} -noout -check
2. openssl ec -in {privatekey_file.pem} -noout -check
3. openssl dsa -in {privatekey_file.pem} -noout -check

 3. Certificate and Private Key are of different Signature Algorithms

For more information on this please refer to Article - Updating ECDSA Key Certificate in DLB Shows "public key does not match private key”

SOLUTION

• Please make sure the modulus values is same across all certificates and do upload the certificates, it should be saved and applied successfully.  
• Ensure the Private Key is valid and not corrupted.