OPERATIONAL DEFECT DATABASE
...
...
Using the vSphere Certificate Manager to replace the Machine SSL or Root Certificate with Custom Certificate fails.Certificate Manager shows the following error during replacement: ERROR:: INVALID_KEY, the private key does not match the certificate. Please provide a valid certificate and Key pair.
The issue only occurs when all of the following conditions are met: vCenter Server is in version 8.0.2 or abovevSphere Certificate Manager is used to generate the Certificate Signing RequestThe folder /tmp is selected as a the target location when exporting the CSR and the Key.
vCenter Certificate replacement using Custom Certificate fails because of a mismatch in the Certificate and the Private Key.
Engineering is aware of this issue and working to resolve it in a future release.Please subscribe to this article to be made aware once a fix has been made available.
Do not use /tmp as a directory location to export the CSR and the key, but instead use a different folder (such as /storage/core) as the target location for both the certificate request and key.
You can use the following commands to run an MD5 check: To view the md5 hash of the modulus of the CSR: # openssl req -in <path to the CSR file> -noout -modulus | openssl md5 -non-fips-allow To view the md5 hash of the modulus of the Private Key: # openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow To view the md5 hash of the modulus of the certificate: # openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5 -non-fips-allow Example: [ ~ ]# openssl rsa -noout -modulus -in vmca_issued_key.key |openssl md5 -non-fips-allow (stdin)= cf42ca065f24b367112e41251ce47b99 [ ~ ]# openssl req -noout -modulus -in vmca_issued_csr.csr |openssl md5 -non-fips-allow (stdin)= cf42ca065f24b367112e41251ce47b99 Further references: Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate How to file a Support Request in Customer Connect
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
