• Updating Machine SSL Certificate by certificate-manager fails
• The vCenter's Primary Network ID (PNID) is an IP Address.
• In the /var/log/vmware/vmcad/certificate-manager.log file, you see entries similar to:

    YYYY-MM-DDTHH:MM:SS.MSZ INFO certificate-manager Running command :- service-control --start  --all
    YYYY-MM-DDTHH:MM:SS.MSZ INFO certificate-manager please see service-control.log for service status
    Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start hvc, vpxd, vpxd-svcs services. Error: Service crashed while starting
    
    YYYY-MM-DDTHH:MM:SS.MSZ ERROR certificate-manager None
    YYYY-MM-DDTHH:MM:SS.MSZ ERROR certificate-manager Error while starting services, please see service-control log for more details
    YYYY-MM-DDTHH:MM:SS.MSZ ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
    YYYY-MM-DDTHH:MM:SS.MSZ ERROR certificate-manager {
        "detail": [
            {
                "id": "install.ciscommon.command.errinvoke",
                "translatable": "An error occurred while invoking external command : '%(0)s'",
                "args": [
                    "None"
                ],
                "localized": "An error occurred while invoking external command : 'None'"
            },
            "Error while starting services, please see service-control log for more details"
        ],
        "componentKey": null,
        "problemId": null,
        "resolution": null
    }

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Seen in:

• VMware vCenter Server 7.0

The Subject Alternative Name (SAN) value is missing.

For example, the output when viewing a certificate where the PNID is an IP address, and the SAN is not missing, looks similar to:
-------------------------------
    Certificate:
        Data:
            :
            X509v3 extensions:
                :
                X509v3 Subject Alternative Name:   <---
                    IP Address:XX.XX.XX.XX         <---
-------------------------------

1. Validate the current PNID by running the command:
   
   /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
   
   If the PNID is an IP address you may be subject to this issue.
   
   
2. In certificate-manager, enter the PNID (as that IP Address) at the Enter proper value for 'IPAddress' prompt
   
   Example, where "##.##.##.##" represents the IP address that is the PNID:
    
               Please provide valid SSO and VC privileged user credential to perform certificate operations.
            Enter username [[email protected]]: 
            Enter password:
            ...

            Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : ##.##.##.##