Any attempts to publish a custom Machine SSL certificate in vCenter release 8u1 or later fails

CLI - Immediately fails0% failing to publish root certificate

vSphere UI - Internal Server Error




/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

YYYY-MM-DDTHH:mm-ss [tomcat-exec-6 [] WARN  com.vmware.vapi.internal.bindings.ApiMethodSkeleton  opId=] Implementation method reported unexpected exception: com.vmware.vapi.std.errors.Error
com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.certificatemanagement.error,
    defaultMessage = Internal Server Error (Certificate bearing subject <CERTIFICATE_SUBJECT_INFO> is not a valid CA certificate. Please retry with a valid certificate chain),
    args = [Certificate bearing subject <CERTIFICATE_SUBJECT_INFO>
 is not a valid CA certificate. Please retry with a valid certificate chain],
    params = <null>,
    localized = <null>
}],
    data = <null>,
    errorType = ERROR

vCenter 8u1 & later

Beginning in vCenter 8u1 a validation check is observed in new deployments or attempting to replace custom certificates for a 'Certificate Key Usage' attribute.


If this Certificate KeyUsage attribute is not present the certificate will not be accepted as a valid CA & certificate replacement will fail


Present Certificate Key Usage attribute:



 Missing Certificate Key Usage attribute:

Certificates must meet the minimum requirements as outlined in https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-authentication-8-0/vsphere-security-certificates-authentication/certificate-requirements-for-different-solution-paths-authentication.html

Engage with your Custom CA to obtain a valid certificate with the required attributes present