Add a kms root server certificate for kms sever when kms leaf certificate will be refreshed.

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

When setup trust between VC and KMS, we only store the leaf certificate if the KMS server certificate is a chain, so when KMS leaf certificate refreshed, the connect between VC and KMS server will has issues.

Environment

VMware vCenter Server 8.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x

Cause

We only store the leaf certificate in the chain when setup trust between VC and KMS.

Resolution

Currently there is no resolution.

Workaround:

User can add the KMS root server certificate by below ways:

1. Add KMS root server certificate by UI (see attachment uploadkmscert.png):

  1.1 login to vc by browser
  1.2 click Configure -> Key Providers -> ESTABLISH TRUST -> Upload KMS Certificate
  1.3 upload KMS root certificate

or

2. Add KMS root server certificate by powercli:

2.1 use powercli command Connect-VIServer to connect vc.
2.2 run below powercli command to upload the kms server certificate
$kmsMgr = Get-View -Id 'CryptoManagerKmip-CryptoManager'
$kmsCluster = Get-KmsCluster -name 'yujiekmstest'
$kmsClusterId = $kmsCluster.ExtensionData.ClusterId
$certificate = '-----BEGIN CERTIFICATE-----
MIIF4TCCA8mgAwIBAgIJAO0o00E7M7dLMA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD
VQQGEwJYWDESMBAGA1UECAwJU3RhdGVOYW1lMREwDwYDVQQHDAhDaXR5TmFtZTEU
MBIGA1UECgwLQ29tcGFueU5hbWUxGzAZBgNVBAsMEkNvbXBhbnlTZWN0aW9uTmFt
ZTEdMBsGA1UEAwwUQ29tbW9uTmFtZU9ySG9zdG5hbWUwHhcNMjQwMjAxMDQwMTM2
WhcNMzQwMTI5MDQwMTM2WjCBhjELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRl
TmFtZTERMA8GA1UEBwwIQ2l0eU5hbWUxFDASBgNVBAoMC0NvbXBhbnlOYW1lMRsw
GQYDVQQLDBJDb21wYW55U2VjdGlvbk5hbWUxHTAbBgNVBAMMFENvbW1vbk5hbWVP
ckhvc3RuYW1lMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArNYphMXP
ML9r5BKBSeFnnpkIpvJDKEpFBeAfhzme417EjSbHtZxw/UpYusol2QB8NgUrzC9H
bWp8EEgWv5Uk2JMe4LgcZ4r7ASr3NsvWPf44ng5pMfG5lpmCq62ZfWs0CHjhDktM
qj8OB/1cg8lVjFUzJTp7MtYEqBZ5nLTfpXmPymOvLvJj3Dsn8YZfWWLeRRos7SOS
FraFyq2MZGU+ciEwzy3fyhTYGKQGl3xyNh0qnXPGCqZ/6BdpglOejkSFZbAcOu3n
916WsgDQasDqdlh4pL2JdKhcjbK5QHF1oluNsd1ISIPmZPInsTjxA+0wpzXL4X2s
6tfQC+LMkI81AfFCDWR+sFnjKZGPcNfmW/cE/rYBQuUFUSH8ELWOAxGsKcY+9BS4
KLfuXiZRwYA/f1IlPRQz38iMqjsY+Izmngw4tnwA3Q4qb5hvA09VetZEJo0gjsiT
IVN2O7Tg+EQN+UPGoRaq6LUGhLBbZdxLoQLt8Rn2e991FPMy+h5Mw2i+oU95umBb
SJTp40utiw9YqJUVUNvGi8wsvPr9dDSu+fzQPx/aaFTOmg8bFeNrdPTSwybXjRnB
wqBfuffNkVyFGwTws2oXPO7Xft44kdwMnJQJ13ZkHa+oefbpmYOOIQ9rNPNc+NJL
V9q8DuZYxuacklIP1BApvmOmRG5+vAVO/+8CAwEAAaNQME4wHQYDVR0OBBYEFEU0
L8RDN/PCuOdYaVaGnyk87gJpMB8GA1UdIwQYMBaAFEU0L8RDN/PCuOdYaVaGnyk8
7gJpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAD8wSlMenBOGjDeH
j6G9phScoUCHuDYULaaMAxlxRAhSsr+lmHAbZo6FCZG9+XXHaikC+nq1rNO0a/fU
x6J48PSIXxCWR7KlyhGuf1cd6drpPUEdufg1WA+FzQ+auGTtMeZrqqQwckkPy9QB
YyovnGS1XNsgshKhtdc8o/sEmgKnitsr5BxebzLRsx6UK/4DJkWVBlT08eRvH3br
WmfXZCLwOFG1LPyvP1BlByEckVTFTeMhCMKiaRjC1XEOI/f4B77BwSBPyvGOuTlw
/FQ/0Cabcgb8NH0KETbomrsKINXmYVT6QtgjjC5cgNnNpBshrBhcBFWm9xKVFgJc
atKW68lcfURzRAqZZa8AAJATgd/tTtsxgbHlg7UfKBvqvJYjt2iFgxaa9EB+8bjK
NCj6vlVxZey9bU0mJHqXFkGmpceMkbjCBoKVtJ4DDlicgEJ5d852zF6spcOcLzyV
8bSqNesYbZSvy0voVgl8t0OADV3b1HvbVS59wdN7XwL1XIQeLV1AVF3MMWb0R/Hr
J7rXS7KouHqMOn7/liv1f4SDUZhvdg/s6pgNvTGgiq4MRyW56+IFSAGprKvOG8mw
8x5ZHi+MRc0ni8dOdvfcT1X6jr0ZFezjFHDArLnDz7dTohRNhNtIWMGYuIEsA5MQ
8scFuWW4Mmno6c5E5Kzo0OmPFDU+
-----END CERTIFICATE-----'
$kmsMgr.UploadKmipServerCert($kmsClusterId, $certificate)

And replace the name and certificate with user's own key provider id and KMS server certificate.

Attachments

uploadkmscert get_app