Error: "The provided MACHINE_SSL certificate and provided private key are not valid" when performing SSL certificate renewal on vCenter
search cancel

Error: "The provided MACHINE_SSL certificate and provided private key are not valid" when performing SSL certificate renewal on vCenter

book

Article ID: 406719

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Machine SSL certificate replacement on vCenter Server using option "IMPORT AND REPLACE CERTIFICATE" fails with error "[CERTIFICATE] Replace cert Failed: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)"

Environment

  • vCenter Server 7.x.
  • vCenter Server 8.x.

Cause

  • It is crucial that the CSR, Private Key, and the Certificate match to ensure security and integrity. This issue is observed when the Private Key is not the same as the one used to issue the certificate.
  • When generating a Certificate Signing Request (CSR) from the vCenter, a private key is also auto generated. vCenter Server stores only one Private Key for the last CSR generation action from the vSphere Client. If the CSR generation action was triggered multiple times and the Certificate was generated from a CSR from an older attempt, the Private Key stored on vCenter Server will not match with the Certificate.
  • The hash of the Certificate and Private Key can be checked by executing below command from vCenter Server SSH session:

    • Export the Private Key from vCenter which was generated during the CSR generation from vSphere Client.

      /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR --output /root/machine_ssl_private.key

    • Save the certificate on vCenter Server using 'vi' editor.

      vi /root/machine_ssl_cert.crt

      Paste the Machine SSL certificate generated by the CA and save the file.

    • Check the hash using the commands below:

      openssl rsa -in /root/machinesl_private.key -noout -modulus |openssl md5
      openssl x509 -in /root/machine_ssl_cert.crt -noout -modulus |openssl md5

      Note: Both the commands will show same value if the Private Key and Certificate is matching.

Resolution

  • Re-generate the CSR again from vSphere Client and provide the downloaded CSR to the third-party CA to sign the Certificate. Do not generate CSR multiple times from vCenter Server as each CSR has separate private key and vCenter stores only the last CSR and Private Key pair.
  • If the CSR was generated from outside of vSphere Client, use the provided private key issued by the Certificate Authority and choose the option "Replace with external CA certificate(requires private key)" instead.

Additional Information

  • If the private key is encrypted (opening the file shows: "-----BEGIN ENCRYPTED PRIVATE KEY-----"), you will need to decrypt it first. Using OpenSSL, which can be found on the vCenter, the command to decrypt the private key is

    openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>

    Note: replace <encrypted_private.key>  and <decrypted_private.key> with the proper file names and provide the password when prompted.

  • Prior to implementing the certificate replacement, check the MD5 hash of the CSR, private key, and certificate to ensure they match.

    openssl x509 -in certificate.crt -noout -modulus |openssl md5
    openssl rsa -in privatekey.key -noout -modulus |openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5

  • Known issue with certificate-manager CLI utility - Error: "INVALID_KEY, the private key does not match the certificate" received when trying to replace the Machine SSL or Root Certificate with a Custom Certificate.
Powered by Wolken Software