NSX CA Certificate Replacement fails with "certificate does not verify with supplied key"
search cancel

NSX CA Certificate Replacement fails with "certificate does not verify with supplied key"

book

Article ID: 396248

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • This issue during import of CA-signed certificates with a private key. 
  • During the certificate replacement via API or NSX UI (NSX 4.2 or later) fails with "certificate does not verify with supplied key".
  • CA certificate fails stating private key mismatch - private key checked

Environment

VMware NSX

Cause

This may occur due to the following possible causes:

  1. Incorrect Certificate Chain Order:
    The certificate chain is not correctly ordered (server - intermediate - root).

  2. One of the certificates is missing in the chain of trust:
    Intermediate or root certificate may be missing.

  3. Incorrect File Format or Encoding:
    The certificate or key files are not in the expected PEM format or contain unsupported characters.

  4. Certificate and Private Key Mismatch:
    The private key used does not correspond to the certificate being imported.

Resolution

For the previous causes, we recommend the following

  1. Incorrect Certificate Chain Order:
    Ensure that the certificate chain is complete and correctly ordered when importing the certificate. The typical order is:​

    -----BEGIN CERTIFICATE-----
    [Your NSX Manager Certificate]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [Intermediate CA Certificate]              (NOTE: The intermediate CA certificate may be absent if the NSX Manager Certificate was signed directly by the Root CA)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [Root CA Certificate]
    -----END CERTIFICATE-----

    Ensure there are no extra spaces or characters between the certificates.

  2. Ensure all three certificates are in the CA certificate. 
  3. Ensure that the certificate and the private key are in PEM format (Base64 encoded with -----BEGIN CERTIFICATE----- and -----BEGIN PRIVATE KEY----- headers).
  4. Ensure that the private key matches the certificate. You can verify this by checking that the modulus of both the certificate and the private key is identical. Use the following OpenSSL commands:​

    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in private.key | openssl md5

NOTE: If the imported CA certificate is based on an NSX Manager-generated CSR, a private key exists on the NSX Manager appliance and therefore the certificate should be imported through the CSR page to tie them together:

  • System -> Settings -> Certificates -> CSRs -> Vertical ellipses next to the CSR used -> Import Certificate for CSR

Additional Information

The following is a Certificate Chain of Trust. It shows a Root CA signing an Intermediate certificate, which then signs the NSX Certificate. This hierarchy ensures the NSX Certificate's trustworthiness by linking it back to a pre-trusted Root CA.

When creating the certificate file, make sure to follow the order.

  1. NSX Manager Certificate
  2. Intermediate CA Certificate
    • NOTE:  The intermediate CA certificate may be absent if the NSX Manager Certificate was signed directly by the Root CA
  3. Root CA Certificate

 

Powered by Wolken Software