Administrators may see the vCenter alarm “Key Provider Not Backed Up” and, when attempting to back up a vSphere Native Key Provider, receive the message “Back up of Native Key Provider has failed.” The backup dialog errors out without producing the .p12 file and repeating the operation continues to fail. The problem can occur even though vCenter services appear healthy and there are no obvious errors in the user interface or standard logs.

VMware vCenter Server

The failure occurs when the vSphere Client is accessed through an HTTP(S) alias (for example, a load balancer FQDN, short name, or alternate DNS entry) instead of the vCenter Server’s Primary Network Identifier (PNID) or official FQDN. Backing up the Native Key Provider uses strict security checks tied to the vCenter identity, and these checks can fail silently when the hostname used in the browser does not match the PNID/FQDN that vCenter expects for sensitive operations such as NKP export.

1. Log out of the vSphere Client.
2. Reconnect to vCenter using the exact PNID/FQDN of the vCenter Server instance, not an alias or alternate URL.
3. Navigate to:
   
   vCenter object → Configure → Security → Key Providers.


4. Select the Native Key Provider with status “Not Backed Up” and click Back Up.
5. Optionally enable password protection, confirm the password prompt, and download the .p12 file to a secure location.
6. Verify that the key provider status changes from “Not Backed Up” to “Backed Up/Active” and that the “Key Provider Not Backed Up” alarm clears.​

Backing up the NKP from the correct vCenter FQDN allows the backup operation to complete successfully and produces the expected PKCS#12 file, ensuring that encrypted workloads can be recovered in a disaster scenario.