"Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message
Article ID: 322174
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
SSL Certificate Replacement on vCenter Server 8.0 Fails with below error messages :
- Using CLI
Error: Provided certificate <cert file name> using the weak signature algorithm. Please provide the strong signature algorithm certificate.
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
- Using vSphere Client
Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate
- Publishing a Root Certificate using "dir-cli" utility fails with below error
root@vc01 [ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/cert/rootcertificate.pem
Enter password for [email protected]:
Certificate with subject 'C=US, ST=CA, L=Loc, O=vm, OU=Test, CN=TEST_CA' uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak
Enter password for [email protected]:
Certificate with subject 'C=US, ST=CA, L=Loc, O=vm, OU=Test, CN=TEST_CA' uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak
- While updating vCenter certificates in vSphere Web Client after a CSR created in web client - Third-party issued certificate updates may fail with error below:
"Certificate uses a weak signature algorithm - SHA1WITHRSA. Only SHA-2 RSA algorithms are supported on the vCenter Server."
Verify the new certificate files are use SHA-2 (SHA256) algorithms. Verify each certificate in third-party certificate and chain certificate do not contain a SHA1 certificates. Copy each cert out of the chain file using text file utility to review each individual certificate. If you only review the combined chain certificate, the chain file will report the cryptography level of the first certificate in the chain which 'hides' other SHA1 certificates embedded in the chain file.
Use only chain certificate files that contain no SHA1 certificates. Contact the certificate provider to obtain compatible SHA-2 algorithms certificate files as needed to resolve this issue.
Environment
VMware vCenter Server 8.0
Resolution
- Certificates with weak signature algorithms (SHA1) are no longer supported in vSphere 8.0 and the pre-checks put in place in Certificate Replacement workflows will prevent the use of unsafe certificates.
- Address as needed:
- Generate or obtain certificates that use SHA256 Signature Algorithm (including Intermediate Certificate(s) and all Root Certificate in chain) and proceed with the certificate replacement.
Sample Certificate with SHA1 Signature Algorithm (Unsupported):
Sample Certificate with SHA256 Signature Algorithm (Supported):
Additional Information
Feedback
Yes
No
Powered by
