Pivotal Knowledge Base

Follow

UAA showing "Certificate does not match private key" error when configuring SAML certs

Environment

Pivotal Cloud Foundry: 1.10 & 1.11

Purpose

This article discusses how to resolve an issue where after configuring UAA SAML certifications in the ERT with signed cert, error "Certificate does not match private key." is displayed in the UAA.log.

ERT_uaa_.PNG

Private keys generated using openssl req with a recent openssl (such as OpenSSL 1.0.2d 9 Jul 2015), like:


openssl req -out PCF-CSR.csr -nodes -keyout PCF-Key.key -newkey rsa:2048 -new

are parsed incorrectly by UAA, causing an exception to be thrown. Keys generated in this way end up in this logical branch where they will not have the public key info needed to get past the comparison with the certificate. 

Procedure

The current workaround is to regenerate the certificate before the CSR, like:

openssl genrsa -out PCF-Key.key 2048

openssl req -out PCF-CSR.csr -nodes -key PCF-Key.key -config openssl.cnf -new

When private keys are generated using genrsa, they have a slightly different format that the UAA is
able to parse correctly at this time.

The difference between using genrsa first and using req to generate the private key and the CSR simultaneously is that the latter produces a PEM-encoded file where the private key is an embedded ASN.1 entity whereas the former produces a PEM-encoded file where the private key is a top-level entity.

Additional Information

The issue is fixed in UAA version 4.5.0 which is expected to be part of PCF 1.12.

Comments

Powered by Zendesk