BugZero | VMware BugID 96591 - vSphere Certificate Manager generates a CSR and Pr...

VMware - Defect ID: 96591

vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above

VMware - Defect ID: 96591

vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above

Last updated on 3/8/2024

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptoms

Using the vSphere Certificate Manager to replace the Machine SSL or Root Certificate with Custom Certificate fails.Certificate Manager shows the following error during replacement: ERROR:: INVALID_KEY, the private key does not match the certificate. Please provide a valid certificate and Key pair.

Cause

The issue only occurs when all of the following conditions are met: vCenter Server is in version 8.0.2 or abovevSphere Certificate Manager is used to generate the Certificate Signing RequestThe folder /tmp is selected as a the target location when exporting the CSR and the Key.

Impact / Risks

vCenter Certificate replacement using Custom Certificate fails because of a mismatch in the Certificate and the Private Key.

Resolution

Engineering is aware of this issue and working to resolve it in a future release.Please subscribe to this article to be made aware once a fix has been made available.

Workaround

Do not use /tmp as a directory location to export the CSR and the key, but instead use a different folder (such as /storage/core) as the target location for both the certificate request and key.

Related Information

You can use the following commands to run an MD5 check: To view the md5 hash of the modulus of the CSR: # openssl req -in <path to the CSR file> -noout -modulus | openssl md5 -non-fips-allow To view the md5 hash of the modulus of the Private Key: # openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow To view the md5 hash of the modulus of the certificate: # openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5 -non-fips-allow Example: [ ~ ]# openssl rsa -noout -modulus -in vmca_issued_key.key |openssl md5 -non-fips-allow (stdin)= cf42ca065f24b367112e41251ce47b99 [ ~ ]# openssl req -noout -modulus -in vmca_issued_csr.csr |openssl md5 -non-fips-allow (stdin)= cf42ca065f24b367112e41251ce47b99 Further references: Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate How to file a Support Request in Customer Connect

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 96591

vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above

VMware - Defect ID: 96591

vSphere Certificate Manager generates a CSR and Private Key which do not match in vCenter version 8.0.2 and above

Last updated on 3/8/2024

Vendor details

Vendor details

Description

Symptoms

Cause

Impact / Risks

Resolution

Workaround

Related Information

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?