When attempting to replace the Machine SSL custom certificate on vCenter Server Appliance (VCSA) using the certificate-manager utility, the operation fails at 85% completion. The tool attempts a rollback, which may also report errors.

The certificate-manager.log contains the following error pattern indicating a service startup failure:

xxxx-xx-xxTxx:xx:xx.xxxZ ERROR certificate-manager {
    "problemId": null,
    "resolution": null,
    "detail": [
        {
            "localized": "An error occurred while invoking external command : 'None'",
            "args": [
                "None"
            ],
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "id": "install.ciscommon.command.errinvoke"
        },
        "Error while starting services, please see service-control log for more details"
    ],
    "componentKey": null
}

7.x

8.x

The issue is caused by a cryptographic mismatch between the Machine SSL Certificate file (public key) and the Private Key file provided during the installation. If the Private Key does not mathematically match the Certificate (e.g., if a different key was used to generate the CSR, or if files were mixed up), the vCenter services cannot decrypt the SSL context required for startup.

Validate the Certificate and Key Pair Before attempting the installation , verify the modulus of the certificate and the key using OpenSSL.

Run the following commands on the VCSA shell:

# 1. Get the modulus MD5 hash of the Certificate
openssl x509 -noout -modulus -in /path/to/your_certificate.crt | openssl md5

# 2. Get the modulus MD5 hash of the Private Key
openssl rsa -noout -modulus -in /path/to/your_private.key | openssl md5

If the hash matches, then proceed with certificate update referring KB 316601