UAA logs reports an exception "Certificate does not match private key"

Private keys generated using openssl req with a recent openssl (such as OpenSSL 1.0.2d 9 Jul 2015), like:

openssl req -out PCF-CSR.csr -nodes -keyout PCF-Key.key -newkey rsa:2048 -new

are parsed incorrectly by UAA, causing an exception to be thrown. Keys generated in this way end up in this logical branch where they will not have the public key info needed to get past the comparison with the certificate. 

The current workaround is to regenerate the certificate before the CSR, like:

openssl genrsa -out PCF-Key.key 2048

openssl req -out PCF-CSR.csr -nodes -key PCF-Key.key -config openssl.cnf -new

When private keys are generated using genrsa, they have a slightly different format that the UAA is
able to parse correctly at this time.

The difference between using genrsa first and using req to generate the private key and the CSR simultaneously is that the latter produces a PEM-encoded file where the private key is an embedded ASN.1 entity whereas the former produces a PEM-encoded file where the private key is a top-level entity.