The provided machine_ssl certificate and the provided key are not valid.
Article ID: 319990
Updated On:
Products
Issue/Introduction
While replacing the CA certificate in the Vcenter we might get this error.
Symptoms:
Unable to replace Machine SSL Certificate with Custom Certificate
Environment
vCenter Server 6.x
vCenter Server 7.x
vCenter Server 8.x
Cause
The certificate and the key do not match.
Resolution
MD5 values of the certificate the key should match.
openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5 -non-fips-allow
openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow
Above commands may fail with below error if the Signature Algorithm is sha256
root@####01 [ /certs ]# openssl x509 -noout -modulus -in machine.crt | openssl md5
Error setting digest
C091CC0FD57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (MD5 : 102), Properties ()
C091CC0FD57F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:254:
C0111655027F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (non-fips-allow : 0), Properties (<null>)
Checksums can be compared to verify the certificate and key match by running the below commands:
Certificate:
openssl x509 -noout -modulus -in <path_to_Certificate_file> | openssl sha256
Key:
openssl rsa -noout -modulus -in <path_to_key_file> | openssl sha256
If the output of the above two commands are different, then the the certificate do not correspond to the key.
In this case we need to regenerate the certificate and the key.
Additional Information
Reading the CSR content:
openssl req -text -noout -verify -in <path_to_csr_file>Feedback
