Pivotal Cloud Foundry versions 1.10 and 1.11
This article discusses how to resolve an issue where after configuring UAA SAML certifications in the ERT with signed cert, error "Certificate does not match private key." is displayed in the UAA.log.
Private keys generated using
openssl req with a recent openssl (such as OpenSSL 1.0.2d 9 Jul 2015), like:
openssl req -out PCF-CSR.csr -nodes -keyout PCF-Key.key -newkey rsa:2048 -new
are parsed incorrectly by UAA, causing an exception to be thrown. Keys generated in this way end up in this logical branch where they will not have the public key info needed to get past the comparison with the certificate.
The current workaround is to regenerate the certificate before the CSR, like:
openssl genrsa -out PCF-Key.key 2048
openssl req -out PCF-CSR.csr -nodes -key PCF-Key.key -config openssl.cnf -new
When private keys are generated using genrsa, they have a slightly different format that the UAA is
able to parse correctly at this time.
The difference between using genrsa first and using req to generate the private key and the CSR simultaneously is that the latter produces a PEM-encoded file where the private key is an embedded ASN.1 entity whereas the former produces a PEM-encoded file where the private key is a top-level entity.
The issue is fixed in UAA version 4.5.0 which is expected to be part of PCF 1.12.