When the SSL certificate on the SA appliance is uploaded by itself, the current SSL private key on the SA must match it. The normal situation for this would be the case when an expired certificate is replaced with a new certificate based on the same private key.
 

Certificate is not in PEM format, or does not match the existing private key running on the system.

If a the new certificate does not match the current private key running on the system, both the correct key and the new certificate need to be uploaded to the appliance at the same time.

If the certificate is already in PEM format but this error is received, upload both the certificate and its matching private key at the same time to resolve.

Note: the restart of the HTTPd service on the SA appliance may take up to 5 minutes.