vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above
search cancel

vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above

book

Article ID: 326218

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Using the vSphere Certificate Manager to replace the Machine SSL or Root Certificate with Custom Certificate fails.
  • Certificate Manager shows the following error during replacement:
    ERROR:: INVALID_KEY, the private key does not match the certificate. Please 
    provide a valid certificate and Key pair.
  • Certificate management in vSphere UI shows the following error:

Environment

VMware vCenter Server 8.0.2

Cause

The issue only occurs when all of the following conditions are met:

  • vCenter Server is in version 8.0.2 or above
  • vSphere Certificate Manager is used to generate the Certificate Signing Request
  • The folder /tmp is selected as a the target location when exporting the CSR and the Key. 

Resolution

Engineering is aware of this issue and working to resolve it in a future release.
Please subscribe to this article to be made aware once a fix has been made available.


Workaround:

Do not use /tmp as a directory location to export the CSR and the key, but instead use a different folder (such as /storage/core) as the target location for both the certificate request and key.


Additional Information

You can use the following commands to run an MD5 check:

  • To view the md5 hash of the modulus of the CSR:
    # openssl req -in <path to the CSR file> -noout -modulus | openssl md5 -non-fips-allow
  • To view the md5 hash of the modulus of the Private Key:
    # openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow
  • To view the md5 hash of the modulus of the certificate:
    # openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5 -non-fips-allow

 

Example: 

[ ~ ]# openssl rsa -noout -modulus -in vmca_issued_key.key |openssl md5 -non-fips-allow
(stdin)= cf42ca065f24b367112e41251ce47b99

[ ~ ]# openssl req -noout -modulus -in vmca_issued_csr.csr |openssl md5 -non-fips-allow
(stdin)= cf42ca065f24b367112e41251ce47b99

 

Further references:

Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

How to file a Support Request in the Broadcom Support Portal


Impact/Risks:

vCenter Certificate replacement using Custom Certificate fails because of a mismatch in the Certificate and the Private Key.