1. Follow the KB that matches the PSC deployment type:
vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with an External Platform Services Controller (2121701)
https://kb.vmware.com/s/article/2121701
vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
https://kb.vmware.com/s/article/2121689
2. After the lookupservice trust anchors have been validated and corrected as needed validate the VECS store has the leaf certificate for the MACHINE_SSL_CERT store __MACHINE_SSL alias. This would become a chain certificate from some upgrade paths.
Validation:
- Check the MACHINE_SSL_CERT store. This should be a single leaf certificate. If the store contains the chain certificate then this will need to be corrected.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT
Backup the Certificate and Key:
- Export the certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getcert.txt 2. Export the private key. /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getkey.txt
Copy certificate leaf:
- The certificate leaf is the top most certificate of the chain file. Use preferred text editor to the first certificate denoted by and including -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----. Save this to the file leaf_MACHINE_CERT.pem.
- Validate the certificate is correct.
openssl x509 -in ~/leaf_MACHINE_CERT.pem -noout -text 3. Validate public keys match. openssl pkey -in ~/entry__MACHINE_CERT-getkey.txt -pubout -outform pem | sha256sum
openssl x509 -in ~/leaf_MACHINE_CERT.pem -pubkey -noout -outform pem | sha256sum If validation is correct proceed, else troubleshoot any errors and mismatches regenerating certificates as needed.
Recreate the entry in the VECS store:
- Stop all services and start only the vmaffdd, vmdird, vmcad services.
service-control --stop --all
service-control --start vmafdd service-control --start vmdird service-control --start vmcad 2.
Delete the existing entry. /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
3. Create a new entry of the same name pointing to the same key and leaf certificate. /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert ~/leaf_MACHINE_CERT.pem --key entry__MACHINE_CERT-getkey.txt 4. Stop start all services (Alternative reboot VCSA) service-control --stop --all service-control --start --all