When attempting to install or apply a new custom SSL certificate, the process fails with the following error message:

#custom-cert apply

This command resulted in the following error message:

Failed to reload service with new certificate, reverting to existing certificate.
Verify certificate (chain) is valid before retrying otherwise contact customer service.

Despite providing a valid certificate chain, the issue persists until the private key is re-created and re-imported.

Aria Operations for Networks

The private key file associated with the new certificate was found to be corrupted or incomplete, leading to a validation failure during the certificate reload process.

When the platform attempted to reload services using the new key–certificate pair, the mismatch triggered the fallback mechanism to revert to the existing certificate.

1. Verify the certificate and private key details using the following openssl commands:

# Check certificate signature algorithm
openssl x509 -in /path/to/certificate.crt -text -noout | grep "Signature Algorithm"

# Check key length and type
openssl rsa -in /path/to/private.key -text -noout | grep "Private-Key"

When checking the key file of the new certificate, if an error occurs, it indicates the key file is corrupted.
Re-create or export the private key again from the original source to ensure integrity.

2. Additionally, validate that the key and certificate pair match: 

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

- The output hash from both commands must match.

- If not, re-generate the correct key–certificate pair.Re-import the corrected private key and certificate chain into the platform.

3. Re-import the corrected private key and certificate chain into the platform.

4. Reapply the custom certificate.

The installation should complete successfully without rollback.

• Both the old and new certificates used 2048-bit RSA keys and SHA256 signing algorithms, confirming that the issue was not related to unsupported cryptographic parameters.

• This error can also appear if the certificate chain is invalid or incomplete; validating all intermediate and root CAs is recommended.

• Using the openssl rsa -check or grep "Private-Key" command helps detect corruption before import.