Machine SSL Certificate Replacement using vSphere Client fails with error "the trustAnchors parameter must be non-empty"
search cancel

Machine SSL Certificate Replacement using vSphere Client fails with error "the trustAnchors parameter must be non-empty"

book

Article ID: 376816

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Replacing Machine SSL Certificate on vCenter Server using "Replace with external CA certificate(requires private key)" fails with error "the trustAnchors parameter must be non-empty" in vSphere Client.



  • Certificate Management log file "/var/log/vmware/certificatemanagement/certificatemanagement-svcs.log" shows below error snippets :

    YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Validating the private key with the provided certificate
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] The provided MACHINE_SSL certificate and provided key are valid
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Validating if the MACHINE_SSL Certificate is signed by the given root certificate ...
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  ERROR com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Error verifying the certificate: the trustAnchors parameter must be non-empty
    YYYY-MM-DDTHH:MM:SS [tomcat-exec-7  ERROR com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Caught exception while validating the root certificate for the provided MACHINE_SSL certificate  : the trustAnchors parameter must be non-empty

Environment

vCenter Server 7.x

vCenter Server 8.x

Cause

This issue is caused due to invalid CA Certificate chain provided during the certificate replacement.

For eg. if the Machine SSL certificate is loaded instead of the actual Root CAs in field Chain of trusted root certificates.

Resolution

To resolve the issue, create a certificate chain with the intermediate and root CA certificates and load that chain file in certificate replacement wizard for option "Chain of trusted root certificates". 

Below steps will help to create the CA Chain from local desktop if the Certificate is signed by third party CAs:

  • Export each intermediate and root CA certificates from the Certificate Path
    • Open the Machine SSL of Certificate of vCenter Server from local Windows Desktop
    • Click on Certificate Path tab, select the CA certificate to export and Click on View Certificate
    • New window will open for the select CA certificate from the Certificate Path
    • Select the Details tab of the CA Certificate and click on Copy to File
    • Click Next on the new window to export the Certificate
    • Select Base-64 encoded X.509 (.CER)
    • Enter the Filename for the exported CA certificate and Click Next
    • Click Finish to save the Certificate
  • Create a file with chain of Intermediate and Root CA where intermediate comes first, followed by the Root CA (sample structure mentioned below)

    -----BEGIN CERTIFICATE-----
    .
    Intermediate Certificate
    .
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    .
    Root Certificate
    .
    -----END CERTIFICATE-----

Powered by Wolken Software