After a reboot or certificate update, the TCA-CP management interface (GUI) is inaccessible and returns a connection error. Log analysis of the istio-ingressgateway pods in the tca-cp-cn namespace reveals the following error:

ADS:SDS: ACK ERROR ... OPENSSL_internal:KEY_VALUES_MISMATCH

This indicates a cryptographic inconsistency where the private key does not match the public key in the provided certificate.

Cross-referencing the certificate Common Name (CN) or Subject Alternative Name (SAN) confirmed the certificate was issued for a different FQDN/IP.
Run the below from the appliance where the .pem file is located to check the mismatch of the different FQDN/IP.:

openssl x509 -in ingress-cert.pem -text -noout | grep -E "Subject:|DNS:"  

3.2

An Architectural Identity Mismatch occurs when a public certificate is imported that does not align with the local private key of the TCA-CP instance, preventing the Envoy-based ingress gateway from initializing the TLS listener.

Correct the identity mismatch by patching the Kubernetes secret with the correct Base64-encoded certificate and key pair specific to the local TCA-CP instance.

1. Identify the correct certificate (.pem) and private key (.key) pair specific to the local TCA-CP instance.
   
   
2. Generate Correct Base64:

   export CERT_B64=$(cat <correct_local_cert>.pem | base64 -w 0)

   export KEY_B64=$(cat <correct_local_key>.key | base64 -w 0)

3. Patch the Kubernetes secret in the tca-cp-cn namespace:
   

   kubectl patch secret ingress-tls-secret \-n tca-cp-cn \-p "{\"data\":{\"tls.crt\":\"$CERT_B64\",\"tls.key\":\"$KEY_B64\"}}"
   

4. Force a refresh of the ingress gateway to synchronize the new secret:
   

   kubectl rollout restart deployment istio-ingressgateway -n tca-cp-cn

5. Verify GUI access to the TCA-CP management interface.