Pivotal Knowledge Base


UAA showing "Certificate does not match private key" Error when Configuring SAML Certs


Pivotal Cloud Foundry versions 1.10 and 1.11


This article discusses how to resolve an issue where after configuring UAA SAML certifications in the ERT with signed cert, error "Certificate does not match private key." is displayed in the UAA.log.


Private keys generated using openssl req with a recent openssl (such as OpenSSL 1.0.2d 9 Jul 2015), like:

openssl req -out PCF-CSR.csr -nodes -keyout PCF-Key.key -newkey rsa:2048 -new

are parsed incorrectly by UAA, causing an exception to be thrown. Keys generated in this way end up in this logical branch where they will not have the public key info needed to get past the comparison with the certificate. 


The current workaround is to regenerate the certificate before the CSR, like:

openssl genrsa -out PCF-Key.key 2048

openssl req -out PCF-CSR.csr -nodes -key PCF-Key.key -config openssl.cnf -new

When private keys are generated using genrsa, they have a slightly different format that the UAA is
able to parse correctly at this time.

The difference between using genrsa first and using req to generate the private key and the CSR simultaneously is that the latter produces a PEM-encoded file where the private key is an embedded ASN.1 entity whereas the former produces a PEM-encoded file where the private key is a top-level entity.

Additional Information

The issue is fixed in UAA version 4.5.0 which is expected to be part of PCF 1.12.


Powered by Zendesk