Normally, when creating a CSR to submit to a CA, one has to generate a server key. That key not shared with any other server as it's supposed to be unique for that server. That key is paired with the CRT generated by the CA.
Acquire the global/entity/domain key file and global/entity/domain crt and use it as the key/crt on your Moodle server.
The keys and crt's must match ... one can check this with the following commands (replacing filenames for your setup):
openssl x509 -noout -modulus -in certs/STAR_tcea_org.crt | openssl md5 > crtmodulus;
openssl rsa -noout -modulus -in private/tcea.key | openssl md5 > keymodulus;diff crtmodulus keymodulus
openssl x509 -noout -modulus -in certs/STAR_tcea_org.crt | openssl md5;
openssl rsa -noout -modulus -in private/tcea.key | openssl md5;
The modulus outputs are short lines that match - beginning character and every character in the line exactly equal to the other line.
Also, the entity from which you acquired the CRT's should have some customer directions for how to install their certs. Have noticed some differences between CA's in installing certs on Linux platform with Apache server. They usually don't mention NginX or other.
Might want to check that info.
'spirit of sharing', Ken