Error: "The provided MACHINE_SSL certificate and provided private key are not valid" when performing SSL certificate renewal on vCenter
search cancel

Error: "The provided MACHINE_SSL certificate and provided private key are not valid" when performing SSL certificate renewal on vCenter

book

Article ID: 406719

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • SSL certificate renewal for vCenter Server is failing
  • If the Certificate Authority generates a private key when supplying the CSR, you will need to use that private key
    • When generating a Certificate Signing Request (CSR) from the vCenter, a private key is also generated
  • When replacing the Machine SSL certificate and the signed public certificate does not match the private key, the error "[CERTIFICATE] Replace cert Failed: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)" will occur and will not replace the certificate as expected.

Environment

External Certificate Authority

Cause

It is crucial that the csr, private key, and certificate match to ensure security and integrity. If the private key is not the same as the one used to issue the certificate, it can lead to security vulnerabilities. 

This issue occurs as stated when the certificate and private key do not match.

Resolution

Use the provided private key issued by the Certificate Authority and choose the option "Replace with external CA certificate(requires private key)" instead.

Additional Information

If the private key is encrypted (opening the file shows: "-----BEGIN ENCRYPTED PRIVATE KEY-----"), you will need to decrypt it first. Using OpenSSL, which can be found on the vCenter, the command to decrypt the private key is

openssl rsa -in <encrypted_private.key> -out <decrypted_private.key>

Note: replace <encrypted_private.key>  and <decrypted_private.key> with the proper file names and provide the password when prompted.

 

Prior to implementing the certificate replacement, check the MD5 hash of the CSR, private key, and certificate to ensure they match.

openssl x509 -in certificate.crt -noout -modulus |openssl md5
openssl rsa -in privatekey.key -noout -modulus |openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Powered by Wolken Software