Symptoms:
You are unable to create a customization spec in the GUI. It fails with the following error "Create customization specification failed!" "vim.fault.Notfound"



You may see the following in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

[2019-10-01T08:44:26.317Z] [ERROR] http-nio-5090-exec-40 70000153 100004 200001 c.v.v.c.vm.customizations.impl.VmCustomizationMutationProvider Error occurred while creating vm customization spec.
 com.vmware.vim.binding.vmodl.fault.SystemError: vim.fault.NotFound
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newInstance(ComplexTypeImpl.java:174)
        at com.vmware.vim.vmomi.core.types.impl.DefaultDataObjectFactory.newDataObject(DefaultDataObjectFactory.java:25)
        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.ComplexStackContext.<init>(ComplexStackContext.java:30)
        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.parse(UnmarshallerImpl.java:159)
        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.unmarshall(UnmarshallerImpl.java:105)
        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:92)
        at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:86)
        at com.vmware.vim.vmomi.client.common.impl.SoapFaultStackContext.setValue(SoapFaultStackContext.java:40)
        at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.processNextElement(ResponseUnmarshaller.java:127)
        at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.unmarshal(ResponseUnmarshaller.java:70)
        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.unmarshalResponse(ResponseImpl.java:284)
        at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setResponse(ResponseImpl.java:239)
        at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.parseResponse(HttpExchangeBase.java:156)
        at com.vmware.vim.vmomi.client.http.impl.HttpAsyncExchange$1$2.run(HttpAsyncExchange.java:149)
        at com.vmware.vim.vmomi.core.impl.BlockingFuture.executeRunnable(BlockingFuture.java:150)
        at com.vmware.vim.vmomi.core.impl.BlockingFuture.get(BlockingFuture.java:75)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$RetryingFuture.get(MethodInvocationHandlerImpl.java:588)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:682)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:371)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeFetch(MethodInvocationHandlerImpl.java:347)
        at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:191)
        at com.sun.proxy.$Proxy946.getEncryptionKey(Unknown Source)

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware vCenter Server 6.7.x

VMware vCenter Server 7.x

The key usage parameter has changed in the data-encipherment.crt located in /etc/vmware-vpx/ssl/

What you should see:
$ openssl x509 -in before/data-encipherment.crt -purpose -noout -text
...
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

What you will see if this issue is affecting to your vCenter:
$ openssl x509 -in after/data-encipherment.crt -purpose -noout -text
...
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment

Ensure you have a valid backup and offline snapshots before making any changes:

1. Delete the data-encipherment entry from vecs-store
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store data-encipherment --alias data-encipherment --server localhost --upn [email protected]

2. Create private and public key pairs
/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --pubkey=/etc/vmware-vpx/ssl/data-encipherment.pub

3. Create certfile for data encipherment: (Replace FQDN with your machine Fully Qualified Domain Name)
/usr/lib/vmware-vmca/bin/certool --server=FQDN --genCIScert --dataencipherment --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --cert=/etc/vmware-vpx/ssl/data-encipherment.crt --Name=data-encipherment --FQDN=FQDN

4. Verify if new cert is located in VECS store with :
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment --text | less
Number of entries in store :    1

Check validity date/subject name to verify its new and under Key Usage if the following are present:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

5. Restart all services.
service-control --stop --all
service-control --start --all

Note: If the cert is not located in the data-encipherment VECS store, create the vecs-store entry as below :

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store data-encipherment --alias data-encipherment --server localhost --upn [email protected] --cert /etc/vmware-vpx/ssl/data-encipherment.crt --key /etc/vmware-vpx/ssl/data-encipherment.key

Then, restart all services.