The MD5 harsh of the private key modulus, the certificate modulus and the CSR modulus should be identical. Use OpenSSL to check this MD5 hash of the private key, CSR and certificate like the following to check whether they match.
openssl pkcs8 -inform DER -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.p8 -outform PEM -out $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem
openssl rsa -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem |openssl md5
openssl req -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/cert.csr |openssl md5
openssl x509 -noout -modulus -in $TIBCO_HOME/administrator/domain/domainname/SSL/cert.pem | openssl md5
For TRA 5.10 or higher version, the private key file key.p8 is changed, but the file name remains the same for consistency. Run the following command to key the private key file in PEM format.
keytool -importkeystore -srckeystore $TIBCO_HOME/administrator/domain/domainname/SSL/key.p8 -srcstoretype JCEKS -srcalias key -srcstorepass password -destkeystore $TIBCO_HOME/administrator/domain/domainname/SSL/key.p12 -deststoretype PKCS12
openssl pkcs12 -in $TIBCO_HOME/administrator/domain/domainname/SSL/key.p12 -nocerts -out $TIBCO_HOME/administrator/domain/domainname/SSL/key.pem