When enabling HTTPS for a domain, the certificate from the Certificate Authority (CA) may not match the private key and CSR. Checking the consistency of the private key, CSR and certificate will be helpful in this situation. 

The MD5 harsh of the private key modulus, the certificate modulus and the CSR modulus should be identical. Use OpenSSL to check this MD5 hash of the private key, CSR and certificate like the following to check whether they match. 

openssl pkcs8 -inform DER -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.p8 -outform PEM -out $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem

openssl rsa -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem |openssl md5

openssl req -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/cert.csr |openssl md5

openssl x509 -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/cert.pem | openssl md5

For TRA 5.10 or higher version, the private key file key.p8 is changed, but the file name remains the same for consistency. Run the following command to key the private key file in PEM format.

keytool -importkeystore -srckeystore $TIBCO_HOME/administrator/domain/domainname/SSL/key.p8 -srcstoretype JCEKS -srcalias key -srcstorepass password -destkeystore  $TIBCO_HOME/administrator/domain/domainname/SSL/key.p12 -deststoretype PKCS12

openssl pkcs12 -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.p12 -nocerts -out $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem