Symptoms:
When attempting to add a new Secure Token Service (STS) Signing Certificate in the vSphere Web Client, you receive the following in an Error window:

The last operation failed for the entity with the following error message.

A vCenter Single Sign-On service error occurred

You see entries in the ssoAdminServer.log similar to the following:

[2019-03-29T19:41:07.412Z pool-3-thread-4 opId=78e5a912-06e2-4934-b5f2-1b174a8eeb15 ERROR com.vmware.identity.admin.vlsi.ConfigurationManagementServiceImpl] Invalid argument in setTenantCredentials for tenant [vsphere.local]: private key does not match certificate (at index 0)

You have verified that the private key matches the leaf certificate in the chain.

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x

This is caused by the Key Usage extension on the leaf certificate being marked as Critical.

To solve the issue, re-sign the certificate and ensure that the Key Usage extension is not marked as Critical.

If using a Microsoft Certificate Authority, ensure the template that is used to sign the Certificate Signing Request does not mark the Key Usage as Critical. A new template may need to be created in order to sign a certificate for the Secure Token Service Signing certificate, even though it is VMware's recommendation when creating a new template for vSphere 6.x Machine SSL and Solution User certificates to leave other options under Key Usage as default.