Sectigo custom Machine SSL cert - Remove old SHA1 cert from signing chain

Products

VMware vCenter Server

Issue/Introduction

If receiving error during the pre-upgrade check (upgrading to 8.0) and currently using Sectigo custom SSL certs, the steps contained in this article will assist in properly removing the certs, and then create new signing (chain) cert to be used, not including the old Comodo SHA1 cert in chain.

"Error Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0. The certificate with subject '/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption. Replace the certificate with subject '/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services' in VECS store TRUSTED_ROOTS with a certificate that uses the SHA-2 signature algorithm. Caution: Verify that any certificates signed by the problematic certificate are not in use by vCenter Server. Refer to the vCenter Server release notes and VMware KB 89424 for more details."

Cause

This error indicates the Sectigo signing (chain) cert contains an old SHA1 cert that is not supported by vSphere 8.

Resolution

Review Sectigo KB - Sectigo Chain Hierarchy and Intermediate Roots.
- If using "Trust Path D" (from image on page), use "Trust Path A" instead to resolve the issue.

If needing to move to "Trust Path A".
- Download "USERTrust RSA CA" (root) - https://crt.sh/?id=1199354
- Download "Sectigo RSA Domain Validation (inter) - First link on page (Sectigo Intermediate Cert - Download)
- Compile Signing cert from Inter and Root certs (top to bottom - Inter, Root)
- Compile Machine/Leaf cert from Machine, Inter, and Root certs (top to bottom - Machine, Inter, Root)
- Create proper snapshot(s) of VCSA(s)/PSC(s)

NOTE:

If when attempting to replace a cert using the vSphere client you receive an error related to Certificate already exists, this indicates the same custom cert is already being used. The vSphere client will not allow it to be imported again.
Follow steps from "Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)" to remove all certs in VCSA Trusted Root store related to the old Sectigo chain using "AAA…" SHA1 cert in chain.
- Due to the Subject Key Identifier remains the same between the two "USERTrust RSA..." root certs (the one signed by AAA and the one signed by itself). Even though the Serial Numbers are different.

The below commands are specific to the scenario faced. The "--id" value may differ between environments.

===============================================================

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id 5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB --login [email protected] --outcert /tmp/oldcert1.cer

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id A0110A233E96F107ECE2AF29EF82A57FD030A4B4 --login [email protected] --outcert /tmp/oldcert2.cer

===============================================================

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert1.cer

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert2.cer

===============================================================

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias d89e3b43d5d909b47a18977aa9d5ce36cee104c

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias d1eb23a46d17d68fd92564c2f1f1601764d8e349

===============================================================

Use vSphere client (or CLI Certificate Manager tool, only if Key file available from CSR creation) to import custom cert using the Machine, Signing, and Key files (key provided by third party when CSR created)
- From vSphere client, if error of "Error occurred while fetching tls: String index out of range: -1" received.
- It is a known issue for the vSphere client to show this error when using the "Browse" button to select the cert files.
- Try importing cert again, this time copying the data from the cert files viewing in Text editor, then paste to the vSphere client fields for the appropriate certs and key.

Additional Information

SHA1, Sectigo, signing chain, upgrade to vCenter 8

"Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message

Impact/Risks:

Steps will involve replacing current custom VCSA Machine cert with default self-signed cert, and then remove current Sectigo signing certs from Trusted Root store.

Make sure to take proper snapshots prior to proceeding (if linked mode environment make sure to take proper offline snapshots of all linked VCSAs/PSCs)
The steps will require VCSA services to be restarted multiple times
Will require removing certs from Trusted Root store