Symptoms:

• Logging into the Web Client with Smart Card Authentication fails with the error:
  
  

  Unable to validate the submitted credential

  
  
  
• In the /var/log/vmware/sso/vmware-sts-idmd.log file, you see entries similar to:
  
  

  [IdmCrlCache] LDAP CRL stores is not supported. Ignore this URI: ldap://CN=xxx,CN=xxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx?certificateRevocationList?base?objectClass=cRLDistributionPoint
  [ServerUtils] Exception 'com.vmware.identity.idm.CertRevocationStatusUnknownException: CRL checking could not determine certificate status'

  
  
• In the /var/log/vmware/sso/websso.log file, you see below entries if you select OCSP in certificate revocation settings:
  

  com.vmware.identity.idm.CertRevocationStatusUnknownException: Unable to validate certificate path. Message: [Certificate does not specify OCSP responder] Reason: [UNSPECIFIED]
  
  

VMware vCenter Server 6.0.x

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

vCenter Server does not support checking LDAP paths as Certificate Revocation List Distribution Points. In order to be able to check certificate revocation status, the Certificate Authority that issues user certificates must be configured to publish Certificate Revocation Lists to a location available via http:// (ideally on a highly available web server).

To resolve this issue, add a path to an accessible web server as a CRL Distribution Point on the issuing Certificate Authority, and publish Certificate Revocation Lists to that path .

Note: This will require all user certificates to be re-issued.