Avamar: How to Verify the CA Signed Certificate is Ready for Upload to AUI

Summary: Steps on how to verify the key, certificate, and the chain are matching. (Avamar 19.2 and later)

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Incorrect certificate files can cause errors when uploaded to AUI. For example, the following error could occur:

"The private key, certificate, and certificate chain are not matched. Please check the files or passphrase."

The following steps should be taken to ensure the successful upload of the certificate.

Verify that the private key is in PKCS1 format.

  1. Run: 
head -1 server.key

PKCS1 will return:   -----BEGIN RSA PRIVATE KEY-----

PKCS8 will return:   -----BEGIN PRIVATE KEY-----
  1. If the format is PKCS8, it can be converted using the following command:
openssl rsa -in server.key -out new_server.key
  1. Verify that the format was successfully converted:
head -1 new_server.key

Note: If you already created Certificate Signing Request (CSR) from the PKCS8 key format, DO NOT regenerate the CSR or get a new CA singed certificate. These would still work, however when uploading the private key to AUI, upload the new_server.key in PKCS1 format.

Verify that the Private key, certificate, and certificate chain match.
  1. Check if the Private key and the CA signed certificate match by generating a md5 sum and comparing the two values.
openssl rsa -noout -modulus -in server.key | openssl md5

(stdin)= 59d33f669431501ecca48334481be935

openssl x509 -noout -modulus -in certificate.cer | openssl md5

(stdin)= 59d33f669431501ecca48334481be935
  1. Verify that the chain certificate matches the CA signed certificate:
openssl verify -CAfile chain.crt certificate.cer
certificate.cer: OK


If there are further errors with certificate file mismatch, review the following log file and engage Dell Support as needed.

/usr/local/avamar/var/mc/server_log/cert-management-api.log

 

Note: If any of the certificate file or chain is in a PKCS7 format (extension .p7b), use the following command to convert the file to PEM format:
  
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Article Properties
Article Number: 000185151
Article Type: How To
Last Modified: 24 Sept 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.