vSphere Certificate Manager is used to generate a CSR and error message "private key does not match the certificate" is received in vCenter version 8.0.2 and above
search cancel

vSphere Certificate Manager is used to generate a CSR and error message "private key does not match the certificate" is received in vCenter version 8.0.2 and above

book

Article ID: 326218

calendar_today

Updated On: 04-04-2025

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Using the vSphere Certificate Manager to replace the Machine SSL or Root Certificate with Custom Certificate fails.
  • Certificate Manager shows the following error during replacement: 
    ERROR:: INVALID_KEY, the private key does not match the certificate. Please 
provide a valid certificate and Key pair.
  • Certificate management in vSphere UI shows the following error:

Environment

VMware vCenter Server 8.0.2
VMware vCenter Server 8.0.3

Cause

The issue only occurs when all of the following conditions are met:

  • vCenter Server is in version 8.0.2 or above
  • vSphere Certificate Manager is used to generate the Certificate Signing Request
  • The folder /tmp or /var/tmp is selected as a the target location when exporting the CSR and the Key. 

Resolution

Engineering is aware of this issue and working to resolve it in a future release.
Please subscribe to this article to be made aware once a fix has been made available.


Workaround:

Do not use /tmp and /var/tmp as a directory location to export the CSR and the key, but instead use a different folder (such as /storage/core) as the target location for both the certificate request and key.

Additional Information

You can use the following commands to run an MD5 check:

  • To view the md5 hash of the modulus of the CSR: 
    # openssl req -in <path to the CSR file> -noout -modulus | openssl sha256
  • To view the md5 hash of the modulus of the Private Key: 
    # openssl rsa -in <path to the Private Key file> -noout -modulus | openssl sha256
  • To view the md5 hash of the modulus of the certificate: 
    # openssl x509 -in <path to the Certificate file> -noout -modulus | openssl 256

 

Example: 

[ ~ ]# openssl rsa -noout -modulus -in vmca_issued_key.key |openssl sha256 
SHA2-256(stdin)= 4c6e43cfbfffff3d5684c4d45f767e5555555504fde2007d111111111111111
[ ~ ]# openssl req -noout -modulus -in vmca_issued_csr.csr |openssl sha256 
SHA2-256(stdin)= 4c6e43cfbfffff3d5684c4d45f767e5555555504fde2007d111111111111111

 

Further references:

Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

Creating and managing Broadcom support cases


Impact/Risks:

vCenter Certificate replacement using Custom Certificate fails because of a mismatch in the Certificate and the Private Key.

Powered by Wolken Software