pre-check error message "Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain" during vCenter Server upgrade.
Article ID: 312124
Updated On: 06-11-2025
Products
Issue/Introduction
vCenter Server upgrade pre-check shows below error message
Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 2, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######'>'
Environment
vCenter sever
Cause
This issue is caused due to invalid Machine SSL certificate chain that is incomplete.
Below example illustrates the use case where the CA certificate chain consists of one or more intermediate root certificates and how it forms a chain of trust with the Machine SSL certificate,Machine ssl certificate (Signed by intermediate CA CertificateB)CertificateB (Signed by intermediate CA CertificateC)CertificateC (Signed by Self-signed RootCertificate)RootCertificate (Trust anchor)
If any of the intermediate CA certificate .i.e. either CertificateB or CertificateC or RootCertificate is missing, then chain of trust is broken and the verification of the chain will fail.
Resolution
To resolve this issue, import the missing CA certificate into the TRUSTED_ROOTS store on vCenter Server.
The pre-check error will contain the subject of the missing CA certificate as shown below
Unable to find the root certificate with the subject 'X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######''
The certificate can be imported using any of below methods :
- vCenter WebClient - refer to Add a Trusted Root Certificate to the Certificate Store
- CLI Utility - refer section "
dir-cli trustedcert publish" in dir-cli command reference
Additional Information
Sample steps to export the CA Certificate from local Windows Desktop:
Note: This is just an example to show how to export CA certificate from the Certificate Path based on issuer name ("Go Daddy Root Certificate Authority - G2" in this example).
- Open the Machine SSL of Certificate of vCenter Server from local Windows Desktop
- Click on Certificate Path tab, select the CA certificate to export and Click on View Certificate
- New window will open for the select CA certificate from the Certificate Path
- Select the Details tab of the CA Certificate and click on Copy to File
- Click Next on the new window to export the Certificate
- Select Base-64 encoded X.509 (.CER)
- Enter the Filename for the exported CA certificate and Click Next
- Click Finish to save the Certificate
Feedback
