"Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message
search cancel

"Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message

book

Article ID: 322174

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
SSL Certificate Replacement on vCenter Server 8.0 Fails with below error messages :
  • Using CLI
Error: Provided certificate <cert file name> using the weak signature algorithm. Please provide the strong signature algorithm certificate.
Status : 0% Completed [Operation failed, performing automatic rollback]

Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
  • Using vSphere Client
Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate
 
  • Publishing a Root Certificate using "dir-cli" utility fails with below error
root@vc01 [  ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/cert/rootcertificate.pem
Enter password for [email protected]:
Certificate with subject 'C=US, ST=CA, L=Loc, O=vm, OU=Test, CN=TEST_CA' uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak


Environment

VMware vCenter Server 8.0

Resolution

  • Certificates with weak signature algorithms (SHA1) are no longer supported in vSphere 8.0 and the pre-checks put in place in Certificate Replacement workflows will prevent the use of unsafe certificates. 
  • Please generate a Certificate with SHA256 Signature Algorithm (Leaf Certificate and all Root Certificate Chain) and proceed with the Certificate Replacement.
Sample Certificate with SHA1 Signature Algorithm (Unsupported):
Sha1_cert.png
 
Sample Certificate with SHA256 Signature Algorithm (Supported):
sha256_cert.png


Additional Information

Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm