The issue only occurs when all of the following conditions are met:

• vCenter Server is in version 8.0.2 or above
• vSphere Certificate Manager is used to generate the Certificate Signing Request
• The folder /tmp is selected as a the target location when exporting the CSR and the Key. 

Engineering is aware of this issue and working to resolve it in a future release.
Please subscribe to this article to be made aware once a fix has been made available.

Do not use /tmp as a directory location to export the CSR and the key, but instead use a different folder (such as /storage/core) as the target location for both the certificate request and key.

You can use the following commands to run an MD5 check:

• To view the md5 hash of the modulus of the CSR:

  # openssl req -in <path to the CSR file> -noout -modulus | openssl md5 -non-fips-allow

• To view the md5 hash of the modulus of the Private Key:

  # openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow

• To view the md5 hash of the modulus of the certificate:

  # openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5 -non-fips-allow

Example: 

[ ~ ]# openssl rsa -noout -modulus -in vmca_issued_key.key |openssl md5 -non-fips-allow
(stdin)= cf42ca065f24b367112e41251ce47b99

[ ~ ]# openssl req -noout -modulus -in vmca_issued_csr.csr |openssl md5 -non-fips-allow
(stdin)= cf42ca065f24b367112e41251ce47b99

Further references:

Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

How to file a Support Request in the Broadcom Support Portal

vCenter Certificate replacement using Custom Certificate fails because of a mismatch in the Certificate and the Private Key.