Replacing the vRealize Automation default SSL certificate with Microsoft CA signed certificate fails due to errors in the v3 critical extensions section of the certificate
search cancel

Replacing the vRealize Automation default SSL certificate with Microsoft CA signed certificate fails due to errors in the v3 critical extensions section of the certificate

book

Article ID: 325876

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Replacing the default SSL certificate of vRealize Automation from vRealize Suite Lifecycle Manager fails with error related to "Unable to parse certificate's ['v3_extensions']['critical'] section."

Symptoms:
  • Errors similar to are seen:
Certificate with sha256 sum: SHA256_THUMBPRINT have errors in section 'v3_extensions'["Unable to parse certificate's ['v3_extensions']['critical'] section. ", "Unable to parse certificate's ['v3_extensions']['critical'] section. "]


Environment

VMware vRealize Automation 8.x

Cause

Microsoft CA signing process introduces v3 extensions which are not understood by vRealize Automation and certificate verification process marks the certificate as invalid.

Resolution

This issue is resolved in vRealize Automation 8.0.1.

Workaround:
To work around this issue, you can force install of the certificate with the following steps:
  1. Verify that your certificate covers the following criteria:
  • Includes all of the appliances hostnames as subject alternative names (SANs)
  • Includes the load-balancer fully qualified domain name (FQDN) as a subject alternative name (SAN)
  • Doesn't include any wildcard (*) addresses
  1. Compose a PEM file (Private Key and Entire Trust Chain) which should include the following in the same order:
  • The RSA encrypted private key
  • The Primary certificate in Base 64 format
  • All of the Intermediate certificates in Base 64 format
  • The Root CA certificate in Base 64 format

Example:
 -----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA certificate)
-----END CERTIFICATE-----
 
  1. SSH to one of the appliances and run the following command:
  • # vracli certificate ingress --validate stdin --parse
  1. Paste the entire PEM which we composed in step 2 and press CTRL+D.
  2. This should result in the error below:
  • Certificate with sha256 sum: SHA256_THUMBPRINT have errors in section 'v3_extensions'["Unable to parse certificate's ['v3_extensions']['critical'] section. ", "Unable to parse certificate's ['v3_extensions']['critical'] section. "]
  • You can ignore errors related to v3_extensions - critical section, however if you receive different verification errors please do not proceed further and go back to step 1 and 2 to verify your PEM.
  1. Run command the following command in order to force the certificate installation:
  • # vracli certificate ingress --set stdin --force
  1. Paste the PEM, same as step 2, and press CTRL+D
  2. Apply the PEM on all appliances by running the following command:
  • # /opt/scripts/deploy.sh
  1. Wait until re-deployment is completed. Once ready you should see a message similar to the one below:
  • ¬†Prelude has been deployed successfully
  1. Verify the certificate has been changed successfully by navigating to the vRealize Automation portal
You can proceed with replacing the VMware Identity Manager certificate from vRealize Suite Lifecycle Manager