Resolution of the issue "Error: vCenter CA certificate not verified. Stopping":
To resolve the issue "Error: vCenter CA certificate not verified. Stopping" follow the steps below:
Step 1: Create a new cacert.pem file signed by the Custom CA Certificate:
- Create a new cacert.pem with vCenter certificate and root certificate (if intermediate is present, add the intermediate as well)
- Save the above file as cacert.pem under C:\ProgramData\VMware\VMware VirtualCenter\SSL.
- Re-run the migration tool again.
Step 2: Create a new cacert.pem file signed by the VMCA
- Create the cfg file using below template
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vc.local, DNS:vc
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = IT
commonName = vc.local
Note: Change DNS, CommonName, Sate,City,Company,OrganizationUnitName, where ever required.
- Create the csr and key file using the below command:
Note: Openssl.exe file is available in this location in vCenter Server 5.5: C:\Program Files\VMware\Infrastructure\Inventory Service\bin
openssl.exe req -new -nodes -out "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.csr" -newkey rsa:2048 -keyout "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.key" -config "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.cfg"
- Create the certificate using below command,
openssl.exe x509 -req -days 3650 -in "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.csr" -out "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt" -CA "C:\ProgramData\VMware\CIS\data\vmca\root.cer" -CAkey "C:\ProgramData\VMware\CIS\data\vmca\privatekey.pem" -extensions v3_req -CAcreateserial -extfile "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.cfg"
- Run the command:
vpxd -p
- Go to location C:\ProgramData\VMware\CIS\data\vmca.
- Copy privatekey.pem and root.cer files and paste into the location C:\ProgramData\VMware\VMware VirtualCenter\SSL\. Rename the root.cer file to cacert.pem
- Reload the certificate from the mob page, navigate to below url
- http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
- https:///mob/?moid=vpxd-securitymanager&vmodl=1
- Enter a vCenter Server administrator or [email protected] username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.
- Change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server\.
- Restart the VMware VirtualCenter Server service from the service control manager (services.msc).
- Restart the VMware vSphere Profile Driven Storage Service. Ensure if the VMware VirtualCenter Management Webservices service is started.