vSAN -- KMS - Encryption -- Certificate Status -- Healthcheck shows Error
search cancel

vSAN -- KMS - Encryption -- Certificate Status -- Healthcheck shows Error


Article ID: 326426


Updated On:


VMware vSAN


In a vSAN KMS encrypted cluster, the "certificate status" for the KMS cluster shows up with an error in the health check, but the trust  and all checks on the individual KMS servers are all green.

When you try to generate new encryption keys, you get the following error message in the vCenter vSphere Client:
"General vSAN error: There was an issue generating new KMS keys for the cluster."

These do not resolve the issue:
- Restarting of vmware-sps and vmware-vsan-health on vCenter
- vCenter Reboot


VMware vSAN 7.0.x
VMware vSAN 8.0.x
VMware vSAN 6.x


Possible causes:
  • Expired CA certificate
  • Certificate state needs to be refreshed
  • A change in the KMS server credentials that have been entered into vCenter


​​​​​​To resolve all 3 possible causes, perform the following steps.
  1. Re-enter the KMS server credentials via Cluster > Configure > Key Management Services click "Action", then "Edit".
  2. Check the certificate expiration date in the same menu in step 1 to make sure that they are still valid.
  3. Right click on each host individually and select Certificates > Renew CA Certificate
Note: Make sure that the Cert Mode is VMCA before renewing the certs, the following document can assist: Change the Certificate Mode
  1. Refresh the health check to see if the error has cleared up.