Replacing Machine SSL Certificate in the vSphere Client with option "Replace with external CA certificate (requires private key)" fails with "Error occurred while fetching tls: String index our of range -1"

/var/log/vmware/certificatemanagement/certificatemanagement-svcs.log has errors referencing an invalid pem string for the key file:

YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] Invalid PEM string for Private Key  Illegal object in getInstance: org.bouncycastle.asn1.DL
Sequence
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] TLS Certificate replacement failed : Invalid input, not a valid PEM formatted Primary Key
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.certificatemanagement.vapi.impl.TlsProviderImpl  opId=] Exception was thrown while executing set:
com.vmware.certificatemanagement.impl.exceptions.InvalidArgumentException: Invalid input, not a valid PEM formatted Primary Key
...
Caused by: java.security.spec.InvalidKeySpecException: Illegal object in getInstance: org.bouncycastle.asn1.DLSequence

VMware vCenter

The key file used is encrypted and has a passphrase. This can be seen by opening the key file in a text editor:

-----BEGIN ENCRYPTED PRIVATE KEY-----

KEY_HASH

-----END ENCRYPTED PRIVATE KEY-----

vCenter's workflow doesn't have the option to provide the passphrase and therefore the certificate replacement fails

Remove the passphrase from the key.

• On any machine with openssl installed (this can also be done on vCenter machine), run the following command targeting the key file:

openssl rsa -in [original.key] -out [new.key] 

• Provide the passphrase for the original key when prompted
• The newly outputted key file can then be used to replace the certificate. To verify the change took place, open the key file in a text editor and confirm it appears like below:

-----BEGIN PRIVATE KEY-----

KEY_HASH

-----END PRIVATE KEY-----