PAM-CM-0201: Verification Error RSA OK SELF OK CERT OK MATCH ERROR

book

Article ID: 212046

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

After downloading the public and private key from the CA Authority website the client received this error when trying to upload the certificate to CA PAM

 

error Error: PAM-CM-0201: Verification Error RSA OK SELF OK CERT OK MATCH ERROR 140696749713080:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:340:

Cause

The public key could not be validated against the private key leading simply to this error

 

The root causes can be

The key or the file is not in the correct readable format

The private key is not matched to its public key

Environment

Release : 3.x , 4.x

Component : CA LDAP Server

Resolution

In this cause the additional information provided in the certificate included the full chain of the certificate. CA PAM was not expecting the chain in this load order so it tried to validate the last certificate listed in the chain which was the root CA certificate.  To resolve this scenario you can either remove the unused certificates (CA Root and Intermediates) leaving the server certificate and private key or simply reorder the certificates ensure the last certificate is the server certificate followed by the private key. 

 

-----BEGIN CERTIFICATE-----
... BASE64 key info for the server certificate...
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
... BASE64 key info ...
-----END PRIVATE KEY-----

Additional Information

note 1  -- openssl may be needed to be installed in order to test the readability of the certificates. 

note 2 -- when modifying certificate files on a windows workstation take care not to change the Unix/LF format using an editor.