Symptoms:
When attempting to add a new Secure Token Service (STS) Signing Certificate in the vSphere Web Client, you receive the following in an Error window:

The last operation failed for the entity with the following error message.

A vCenter Single Sign-On service error occurred

You see entries in the ssoAdminServer.log similar to the following:

[YYYY-MM-DDTHH:MM:SS.412Z pool-3-thread-4 opId=78e5a912-06e2-4934-b5f2-1b174a8eeb15 ERROR com.vmware.identity.admin.vlsi.ConfigurationManagementServiceImpl] Invalid argument in setTenantCredentials for tenant [vsphere.local]: private key does not match certificate (at index 0)

You have verified that the private key matches the leaf certificate in the chain.

• VMware vCenter Server 6.0.x
• VMware vCenter Server Appliance 6.0.x

This is caused by the Key Usage extension on the leaf certificate being marked as Critical.

To solve the issue, re-sign the certificate and ensure that the Key Usage extension is not marked as Critical.

If using a Microsoft Certificate Authority, ensure the template that is used to sign the Certificate Signing Request does not mark the Key Usage as Critical. A new template may need to be created in order to sign a certificate for the Secure Token Service Signing certificate, even though it is VMware's recommendation when creating a new template for vSphere 6.x Machine SSL and Solution User certificates to leave other options under Key Usage as default.