Error: "Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name" while replacing vCenter Server Machine SSL Certificate
Article ID: 322262
Updated On: 05-06-2025
Products
Issue/Introduction
- Using certificate manager to replace an Machine SSL certificate with a new custom, CA signed certificate fails with below error message:
Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
- In the
certificate-manager.logfile, you will see entries similar to:2017-05-18T18:47:26.132Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.2017-05-18T18:47:26.545Z ERROR certificate-manager Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name2017-05-18T18:47:26.545Z INFO certificate-manager Performing rollback of Machine SSL Cert...
The vSphere 6.x Certificate Manager stores a certificate-manager.log file in these locations:- Windows vCenter Server 6.x:
C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log - vCenter Server Appliance 6.x:
/var/log/vmware/vmcad/certificate-manager.log
- Windows vCenter Server 6.x:
Environment
- VMware vCenter Server Appliance 6.0.x
- VMware vCenter Server Appliance 6.7.x
- VMware vCenter Server 6.5.x
- VMware vCenter Server 6.7.x
- VMware vCenter Server 6.0.x
- VMware vCenter Server Appliance 6.5.x
Cause
Prior to vCenter Server 6.5 U2 and vCenter Server 6.0 Patch 7, there was an issue which displayed this behavior due to any mismatch of case or value between the SAN entries. This can include extra fields as well.
Old certificate SAN:IP Address=10.10.10.122DNS Name=vcenter65.example.comNew certificate SAN:IP Address=10.10.10.123DNS Name=VCENTER65.example.com
DNS Name=vcenter65
email=admin@example.comResolution
This issue is resolved in below vCenter Server builds :
- VMware vCenter Server 6.0 Update 3g available at Broadcom Downloads.
- VMware vCenter Server 6.5 Update 2 available at Broadcom Downloads.
- VMware vCenter Server 6.7.0c available at Broadcom Downloads.
Workaround:
Regenerate the certificate with the same case and values as the old Machine SSL Certificate.
This issue can happen on the builds mentioned in the above Resolution section as well, if the new Machine SSL Certificate does not contain the PNID in the SAN field. Regenerate the certificate with correct PNID in the SAN field to resolve the issue. Refer to Related Information in this article to verify the PNID and Subject Alternate Names.
Additional Information
- To display the PNID of a vCenter Server Appliance, log in to the vCenter Server and run below command:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostWindows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost- Run the following command to check the Subject Alternative Name field of the existing Machine SSL Certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | grep -A1 AlternativeWindows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text- Run the following command to check the Subject Alternative Name field and the value of the DNS Name of Certificate.
openssl x509 -in <path_to_certificate_file> -noout -text | grep -A1 Alternative
For example:openssl x509 -in mycert.crt -noout -text | grep -A1 Alternative X509v3 Subject Alternative Name: DNS:myserver.example.com, DNS:myserver
Feedback
