When using general vCenter UI option “Trust the certificate” it will save only the ‘Leaf Cert’ into the KMS_ENCRYPTION store.

To workaround the issue, please follow the below mentioned steps:

1. Make sure the whole KMS certificate chain is not added in vCenter by one alias, if yes, follow the below steps to delete it:

i) List certificates in the KMS cluster.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store KMS_ENCRYPTION
then, get the alias of the added KMS certificates chain.

ii) Delete the added certificates chain

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store KMS_ENCRYPTION --alias <the alias of the added KMS certificate chain>

2. Add KMS certificate in the chain one by one.

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store KMS_ENCRYPTION --alias <the alias of a certificate> --cert cert.txt
where the alias format is mostly the same as the existing alias. User only needs to modify the index and select the unused index.

Example:  In KMS cluster eTPC-KMS-KeyProvider, if the greatest index is 2 in alias (Example trustedCert_2-eTPC-KMS-KeyProvider), then the user can add the first certificate in the chain using trustedCert_3-eTPC-KMS-KeyProvider alias, add the second certificate in the chain using trustedCert_4-eTPC-KMS-KeyProvider, and so on. cert.txt stores the KMS certificate to be added.

3. The logic will go through all the entries, in case some KMS certificate is missing from store, it will appear in the error log as : "GetEntryByAlias (alias trustedCert_15-eTPC-KMS-KeyProvider from store ID 14) returned error: 4312". This can be ignored.