Replacing NSX-T certificate with CA signed certificates through SDDC Manager fails with "Data type mismatch, expected certificate_signed but received certificate_ca"..."
Article ID: 324588
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- In SDDC Manager, certificate replacement fails with below error:
- In /var/log/vmware/vcf/operationsmanager/operationsmanager.log, you see entries similar to:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware Cloud Foundation 4.x
Cause
This issue occurs if the NSX-T server Certificate is not compliant with the requirements.
Resolution
NSX- T certificates have the following requirements:
Note: Domain_name is the workload domain for which certificate replacement failed
CA:FALSE
- Server certificate (nsxt_fqdn.crt) must contain the Basic Constraints field with value CA:FALSE.
- Root CA certificate chain file (rootca.crt), intermediate certificates, and root certificate must contain the Basic Constraints field with value CA:TRUE
- On any system with openssl installed, use the command:
openssl x509 -in <path_to_NSXT_certificate_file> -noout -text
- On the SDDC Manager, use the below command:
Note: Domain_name is the workload domain for which certificate replacement failed
- Under X509v3 Basic Constraints, check the CA bit value.
- For valid NSX-T Server certificate, the CA bit value should be CA:FALSE
For example:
X509v3 Basic Constraints: criticalCA:FALSE
- Re-generate the NSX-T server certificates if Basic Constraints field is set to CA:TRUE
Additional Information
For more information, see the "Install Third-Party CA-Signed Certificates" section of VMware Cloud Foundation Documentation
Feedback
Yes
No
Powered by
