• Replacing Machine SSL Certificate on vCenter Server using "Replace with external CA certificate(requires private key)" fails with error "the trustAnchors parameter must be non-empty" in vSphere Client.
  
  
  
  
• Certificate Management log file "/var/log/vmware/certificatemanagement/certificatemanagement-svcs.log" shows below error snippets :
  
  YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Validating the private key with the provided certificate
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] The provided MACHINE_SSL certificate and provided key are valid
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Validating if the MACHINE_SSL Certificate is signed by the given root certificate ...
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  ERROR com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Error verifying the certificate: the trustAnchors parameter must be non-empty
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  ERROR com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Caught exception while validating the root certificate for the provided MACHINE_SSL certificate  : the trustAnchors parameter must be non-empty

vCenter Server 7.x

vCenter Server 8.x

This issue is caused due to invalid CA Certificate chain provided during the certificate replacement.

For eg. if the Machine SSL certificate is loaded instead of the actual Root CAs in field Chain of trusted root certificates.

To resolve the issue, create a certificate chain with the intermediate and root CA certificates and load that chain file in certificate replacement wizard for option "Chain of trusted root certificates". 

Below steps will help to create the CA Chain from local desktop if the Certificate is signed by third party CAs:

• Export each intermediate and root CA certificates from the Certificate Path
  • Open the Machine SSL of Certificate of vCenter Server from local Windows Desktop
  • Click on Certificate Path tab, select the CA certificate to export and Click on View Certificate
  • New window will open for the select CA certificate from the Certificate Path
  • Select the Details tab of the CA Certificate and click on Copy to File
  • Click Next on the new window to export the Certificate
  • Select Base-64 encoded X.509 (.CER)
  • Enter the Filename for the exported CA certificate and Click Next
  • Click Finish to save the Certificate
• Create a file with chain of Intermediate and Root CA where intermediate comes first, followed by the Root CA (sample structure mentioned below)
  
  -----BEGIN CERTIFICATE-----
.
Intermediate Certificate
.
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.
Root Certificate
.
-----END CERTIFICATE-----
  
  

Note: Copy the pem file to vCenter and validate the contents of the pem file using this command

vcsa# while openssl x509 -noout -text -fingerprint | grep -i "subject\|issuer\|not\|fingerprint"; do :; done < certchainfilename.pem

Prior to replacing the certificate, import the CAs indivudually to the vCenter Trusted Roots.

When replacing the certificate in the UI, you can also paste the hashes in the correct boxes instead of browsing for the files

How to check that Private Key, CSR and Certificate match - Failure to match sha256 hash will result in certificate replacement failures.

To view the sha256 hash of the modulus of the private key:

# openssl rsa -noout -modulus -in privkey_filename.key | openssl sha256
Example Output, i.e.: (stdin)= ########2259

To view the sha256 hash of the modulus of the CSR:

# openssl req -noout -modulus -in csr_filename.csr | openssl sha256
Example Ouput, i.e.: (stdin)= ########2259

To view the sha256 hash of the modulus of the certificate:

openssl x509 -noout -modulus -in m_ssl_filename.cer | openssl sha256
Example Output, i.e.:  (stdin)= ########2259