Importing custom SSL certificates into vCenter fails with an error "Certificate uses unsupported signature algorithm - ecdsa-with-SHA256"
search cancel

Importing custom SSL certificates into vCenter fails with an error "Certificate uses unsupported signature algorithm - ecdsa-with-SHA256"

book

Article ID: 369797

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

When importing custom SSL certificates fails 

Error: Certificate uses an unsupported signature algorithm - ecdsa-with-SHA256. Only SHA-2 RSA algorithms are supported on the vCenter Server.
Status : 0% Completed [Operation failed, performing automatic rollback]

 

Additional symptoms/Error messages reported:

Error: Certificates uses an unsupported signature algorithm - SHA384WITHTHEECDSA. Only SHA-2 RSA algorithm are supported on the vCenter Server.

Environment

VMWare vCenter Server 8.x 

Cause

vSphere deploys only RSA certificates for server authentication and does not support generating ECDSA certificates.

The algorithms md2WithRSAEncryption, md5WithRSAEncryption, RSASSA-PSS, dsaWithSHA1, ecdsa_with_SHA1, ecdsa_with_SHA2 and sha1WithRSAEncryption are not supported

Resolution

Only RSA certificates are supported for machine SSL.

When creating a custom machine SSL certificate for vCenter Server, Server Authentication and Client Authentication are not supported, and must be removed when using the Microsoft Certificate Authority (CA) templates. For more information, refer to knowledge base article -  "Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message

 

Additional Information

Refer to documentation: vSphere Certificate Requirements for Different Solution Paths

During the upgrade from vCenter Server 7 to vCenter Server 8:

In  case ,  ECDSA-signed certificate using the ecdsa-with-SHA256 algorithm was already deployed and functioning on vCenter 7. During the upgrade, this certificate  is carried forward without enforcing the new signature algorithm restrictions.

Because the certificate was already trusted and actively in use, vCenter 8 allows it to remain operational post-upgrade. However, this leniency applies only during migration. Once the system is upgraded, any attempt to import or replace the certificate disallows ECDSA-based signatures with error "Certificate uses an unsupported signature algorithm - ecdsa-with-SHA256. Only SHA-2 RSA algorithms are supported on the vCenter Server."

Powered by Wolken Software