Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
Article ID: 313460
Updated On:
Products
Issue/Introduction
Upgrading to vCenter Server or ESXi 8.0 requires an additional security precheck. This precheck ensures that vCenter Server and ESXi are not using certificates with weak signature algorithms, such as SHA1withRSA (sha1WithRSAEncryption). Certificates with weak signature algorithms are no longer supported in vSphere 8.0 in most contexts.
vCenter Server Upgrade Errors
The upgrade may fail with the following error message:
Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0.The certificate with subject '/C=##/ST=##/O=###/OU=###/CN=###/...' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption.
ESXi Upgrade Errors
The upgrade may fail with the following host compatibility error:
Host not compatible with the image.SHA-1 signature found in host certificate rui.crt (/DC=###/CN=###').Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0. To proceed with the upgrade, replace it with a SHA-2 signature based certificate.
Cause
The signing chain for the Machine cert contains an old SHA1 certificate, and vSphere 8 does not support SHA1 security algorithm.
Resolution
Run the Standalone Precheck Script
The vsphere8_upgrade_certificate_checks.py script verifies certificates across vCenter and all connected ESXi hosts.
Download the script attached to this KB.
Transfer the script to the /tmp/ folder on the vCenter Server.
Log in to the VCSA via SSH as root.
Execute the script
Resolve any identified "ERROR" or "FAIL" entries before proceeding with the upgrade.
python /tmp/vsphere8_upgrade_certificate_checks.py
If any certificates with a weak signature algorithm are found, the details are printed to the console window. These issues should be resolved before proceeding with upgrade. An example output with failures is shown below.python /tmp/vsphere8_upgrade_certificate_checks.pyEnter hostname [Default: localhost]: INFO Verifying vCenter Server VECS store: MACHINE_SSL_CERT INFO Verifying vCenter Server VECS store: TRUSTED_ROOTS Error #################### Errors Found #################### ERROR ERROR Support for certificates with weak signature algorithms has been removed in vSphere 8.0....Correct the following <#> issues before proceeding with upgrade....
2. Replace the vCenter Server Machine Certificate
If the failure indicates a problematic certificate in the MACHINE_SSL_CERT VECS store:
Replace the vCenter machine SSL certificate with a certificate using a SHA-2 signature. Use the vCert scripted CLI tool or follow the Custom Certificate Authority workflow.
Push the new CA certificate to the ESXi hosts by selecting the host in the vSphere Client and clicking Refresh CA Certificates.
3. Replace a vCenter Server Trusted Root Certificate
If the failure indicates a problematic certificate in the TRUSTED_ROOTS store:
Add the new certificate: Navigate to Administration > Certificates > Certificate Management. Under Trusted Root Store, click Add and upload the SHA-2 compliant certificate.
Push to Hosts: Navigate to each ESXi host in the vSphere UI and select Actions > Certificates > Refresh CA Certificates.
Identify Dependent Solutions: Ensure leaf certificates for the following (if applicable) are updated:
VMware Solutions: vRA, vROps, SRM, NSX.
Partner Solutions: vVols (VASA Provider), Backup solutions.
4. Replace the ESXi Server TLS Certificate (rui.crt)
The ESXi TLS certificate is located at /etc/vmware/ssl/rui.crt.
For VMCA-managed hosts: In the vSphere Client, navigate to the host and select Actions > Certificates > Renew Certificate.
For Custom Certificates: Follow the steps to manually add a custom certificate on ESXi hosts. Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
5. VMCA is Acting as a Subordinate CA
If the upgrade precheck failure message indicates that a problematic certificate is related to certs in VMCA sub-ca chain, follow the steps in the following linked article.
6. vCenter Server BACKUP_STORE Certificate
If the upgrade precheck failure message indicates that a problematic certificate is present in the VECS store "BACKUP_STORE", then the certificate can be safely removed using one of the methods below.
7. The ESXi Server TLS Certificate (rui.crt)
The ESXi TLS certificate is managed by vCenter Server by default, however administrators may choose to manually assign a certificate. If the current TLS certificate contains a weak digital certificate, then a new certificate must be issued. Note that this certificate is stored in a file name "rui.crt" which may be displayed in the upgrade precheck error messages.
8. The ESXi Server Certificate Store (castore.pem)
If the upgrade precheck failure message indicates that a problematic certificate is related to ESXi certs, follow the steps in the following linked article.
9. vVols (Virtual Volumes)
If the upgrade precheck failure message indicates that a problematic certificate is related to vVols (VASA) certs, follow the steps in the following linked article.
10. Additional ESXi certificates
If the standalone Python script reports a clean pass but the ESXi host upgrade still fails with host compatibility errors regarding a SHA-1 signature, a deprecated or expired certificate may be hiding in a local file within the host's SSL directory.
Verification via SSL Directory Scan
To catch hidden certificates, log into the affected ESXi host via SSH as root and execute the following command.
This command scans all files within the /etc/vmware/ssl/ directory (*.crt, *.cer, and *.pem), splits out individual certificates from multi-bundle files, and checks them all for SHA-1 algorithms:
cd /etc/vmware/ssl
for file in *.crt *.cer *.pem; do
[ -e "$file" ] || continue
echo "=== FILE: $file ==="
awk '
BEGIN { cert_num=0; in_cert=0; temp_cert="/tmp/esxi_temp_cert.crt" }
/-----BEGIN CERTIFICATE-----/ { in_cert=1; cert_num++ }
in_cert==1 { print $0 > temp_cert }
/-----END CERTIFICATE-----/ {
in_cert=0; close(temp_cert)
print "--- Certificate #" cert_num " ---"
system("openssl x509 -in " temp_cert " -noout -subject -issuer -dates")
system("openssl x509 -in " temp_cert " -text -noout | grep -i sha")
}
' "$file"
done
Review the terminal output for lines showing a weak signature algorithm (e.g., sha1WithRSAEncryption) or expired dates.
Note the FILE name and the specific Certificate # index identified by the script.
Remediation Steps
Navigate to the SSL directory on the host:
cd /etc/vmware/ssl/Back up the target certificate store file (for example,
iofiltervp_castore.pem):cp iofiltervp_castore.pem iofiltervp_castore.pem.backupOpen the file in a text editor (like
vi) and remove the lines corresponding to the problematic certificate index identified during verification (from its specific-----BEGIN CERTIFICATE-----to its matching-----END CERTIFICATE-----).Restart the associated management daemon to reload the updated store:
/etc/init.d/iofiltervpd restartRetry the ESXi host upgrade.
Additional Information
- If using Sectigo custom CA certs, consider the following article.
- If the ESXi upgrade still fails after certificates are updated to SHA-2, the Update Manager cache may need to be cleared:
- Restart the Update Manager service:
service-control --stop vmware-updatemgr && service-control --start vmware-updatemgr - Verify the service status:
service-control --status vmware-updatemgr - If warnings persist, perform a full certificate reset using the Certificate Manager Utility. Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm
- Restart the Update Manager service:
- ESXi patching pre-check fails with SHA-1 signature error due to memory exhaustion
Attachments
Feedback
