On a converge migrated or converge upgraded setup, renew api on the TLS certificate may error out.
book
Article ID: 311955
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms: The renew API on the TLS certificate shows the below error: "The TLS certificate on this node is not VMCA generated and the renew operation is not supported for third party CA issued certificates".
Environment
VMware vCenter Server 6.7.x
Cause
On a converge migrated or converge upgraded setup, a new VMCA certificate is created and the VMCA certificate present on the old PSC. Even though retained in the TRUSTED_ROOTS store, will no longer be used as the VMCA to sign new certificates.
Due to the above problem, the renew API on the TLS certificate will error out.
Resolution
Currently there is no resolution.
Workaround: To resolve this issue, create a new TLS certificate signed by the new VMCA signing certificate.
Login to the UI as administrator and then navigate to Menu -> Administration-> Certificate management -> MACHINE_SSL_CERT Tab Actions -> Import and replace certificate -> Replace with VMCA (1st option)