Error: "The SSL certificate of STS service cannot be verified" and "KeyUsage does not allow key encipherment" appear during vCenter Server Appliance 6.7 Upgrade
Article ID: 345459
Updated On:
Products
VMware vCenter Server
VMware vCenter Server 6.0
Issue/Introduction
- Upgrading vCenter Server Appliance 6.7 fails
- vCenter - /var/log/firstboot/firstbootStatus.json file contains:
"failedSteps": "vmidentity-firstboot"- vCenter - /var/log/firstboot/vmidentity-firstboot.py_####_stdout.log file contains:
The SSL certificate of STS service cannot be verified- vCenter - /var/log/vmware/sso/vmware-sts-idmd.log file contains:
KeyUsage does not allow key encipherment
Note: vCenter Server Appliance - each service will have it's own folder in the /var/log/vmware/ directory.
To collect a log bundle or review log files, refer to Collecting diagnostic information for VMware products
Environment
VMware vCenter Server Appliance 6.7.x
Cause
This issue occurs because vCenter Server 6.7 enforces the Key Encipherment parameter under Key Usages on SSL certificates imported into vCenter Server.
Resolution
To resolve this issue, ensure that all imported certificates into vCenter Server contain the the Key Encipherment parameter under Key Usages.
For more details on:
- Certificate requirements, see Certificate Requirements for Different Solution Paths
Notes:
- The same similar symptom and the same logs when upgrading windows vCenter server 6.7 may occur. In this case, all certificates may have the key Encipherment parameter under Key Usages.
- The issue here was due to a expired SSL certificate in the STS_INTERNAL_SSL_CERT store. Replaced this cert with the current MACHINE_SSL cert and key which will resolved this problem.
Additional Information
Feedback
Yes
No
Powered by
