Replacing custom Machine SSL cert fails with 'not a valid CA Certificate'
Article ID: 376867
Updated On:
Products
Issue/Introduction
Any attempts to publish a custom Machine SSL certificate in vCenter release 8u1 or later fails
CLI - Immediately fails0% failing to publish root certificate
vSphere UI - Internal Server Error
/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
YYYY-MM-DDTHH:mm-ss [tomcat-exec-6 [] WARN com.vmware.vapi.internal.bindings.ApiMethodSkeleton opId=] Implementation method reported unexpected exception: com.vmware.vapi.std.errors.Error
com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
id = com.vmware.certificatemanagement.error,
defaultMessage = Internal Server Error (Certificate bearing subject <CERTIFICATE_SUBJECT_INFO> is not a valid CA certificate. Please retry with a valid certificate chain),
args = [Certificate bearing subject <CERTIFICATE_SUBJECT_INFO>
is not a valid CA certificate. Please retry with a valid certificate chain],
params = <null>,
localized = <null>
}],
data = <null>,
errorType = ERROREnvironment
vCenter 8u1 & later
Cause
Beginning in vCenter 8u1 a validation check is observed in new deployments or attempting to replace custom certificates for a 'Certificate Key Usage' attribute.
If this Certificate KeyUsage attribute is not present the certificate will not be accepted as a valid CA & certificate replacement will fail
Present Certificate Key Usage attribute:
Missing Certificate Key Usage attribute:
Resolution
Certificates must meet the minimum requirements as outlined in https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-authentication-8-0/vsphere-security-certificates-authentication/certificate-requirements-for-different-solution-paths-authentication.html
Engage with your Custom CA to obtain a valid certificate with the required attributes present
Feedback
