Error: "The provided MACHINE_SSL certificate and provided private key are not valid" when performing SSL certificate renewal on vCenter
Article ID: 406719
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- Machine SSL certificate replacement on vCenter Server using option "
IMPORT AND REPLACE CERTIFICATE" fails with error "[CERTIFICATE] Replace cert Failed: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)"
Environment
- vCenter Server 7.x.
- vCenter Server 8.x.
Cause
- It is crucial that the CSR, Private Key, and the Certificate match to ensure security and integrity. This issue is observed when the Private Key is not the same as the one used to issue the certificate.
- When generating a Certificate Signing Request (CSR) from the vCenter, a private key is also auto generated. vCenter Server stores only one Private Key for the last CSR generation action from the vSphere Client. If the CSR generation action was triggered multiple times and the Certificate was generated from a CSR from an older attempt, the Private Key stored on vCenter Server will not match with the Certificate.
- The hash of the Certificate and Private Key can be checked by executing below command from vCenter Server SSH session:
- Export the Private Key from vCenter which was generated during the CSR generation from vSphere Client.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR --output /root/machine_ssl_private.key - Save the certificate on vCenter Server using 'vi' editor.
vi /root/machine_ssl_cert.crt
Paste the Machine SSL certificate generated by the CA and save the file. - Check the hash using the commands below:
openssl rsa -in/root/machinesl_private.key-noout -modulus |openssl md5
openssl x509 -in/root/machine_ssl_cert.crt-noout -modulus |openssl md5
Note: Both the commands will show same value if the Private Key and Certificate is matching.
- Export the Private Key from vCenter which was generated during the CSR generation from vSphere Client.
Resolution
- Re-generate the CSR again from vSphere Client and provide the downloaded CSR to the third-party CA to sign the Certificate. Do not generate CSR multiple times from vCenter Server as each CSR has separate private key and vCenter stores only the last CSR and Private Key pair.
- If the CSR was generated from outside of vSphere Client, use the provided private key issued by the Certificate Authority and choose the option "
Replace with external CA certificate(requires private key)" instead.
Additional Information
- If the private key is encrypted (opening the file shows: "-----BEGIN ENCRYPTED PRIVATE KEY-----"), you will need to decrypt it first. Using OpenSSL, which can be found on the vCenter, the command to decrypt the private key is
openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>
Note: replace <encrypted_private.key> and <decrypted_private.key> with the proper file names and provide the password when prompted. - Sometimes, key decryption fails with below error:
root@Test_vCenter[ /tmp ]# openssl rsa -in <Encrypted_key> -out <decrypted_key>
Enter pass phrase for <Encrypted_key>:
Could not read private key from <Encrypted_key>:
C021C915F57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (MD5 : 102), Properties ()
C021C915F57F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:254:Because vCenter Server 8.x utilizes OpenSSL 3.x. In this version, legacy cryptographic algorithms (such as MD5-based key derivation used in older encrypted PEM files) are disabled by default for security.
When attempting to decrypt the private key as previously recommended, the system blocks the operation because it cannot "fetch" the unsupported MD5 algorithm.
Use latest openSSL version for windows/linux and run the same command to decrypt it.
- Prior to implementing the certificate replacement, check the MD5 hash of the CSR, private key, and certificate to ensure they match.
openssl x509 -in certificate.crt -noout -modulus |openssl md5openssl rsa -in privatekey.key -noout -modulus |openssl md5openssl req -noout -modulus -in CSR.csr | openssl md5 - Known issue with certificate-manager CLI utility - Error: "INVALID_KEY, the private key does not match the certificate" received when trying to replace the Machine SSL or Root Certificate with a Custom Certificate.
Feedback
Yes
No
Powered by
