Any attempts to publish a custom Machine SSL certificate in vCenter release 8u1 or later fails
CLI - Immediately fails0% failing to publish root certificate
vSphere UI - Internal Server Error
/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
YYYY-MM-DDTHH:mm-ss [tomcat-exec-6 [] WARN com.vmware.vapi.internal.bindings.ApiMethodSkeleton opId=] Implementation method reported unexpected exception: com.vmware.vapi.std.errors.Error
com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
id = com.vmware.certificatemanagement.error,
defaultMessage = Internal Server Error (Certificate bearing subject <CERTIFICATE_SUBJECT_INFO> is not a valid CA certificate. Please retry with a valid certificate chain),
args = [Certificate bearing subject <CERTIFICATE_SUBJECT_INFO>
is not a valid CA certificate. Please retry with a valid certificate chain],
params = <null>,
localized = <null>
}],
data = <null>,
errorType = ERROR
vCenter 8u1 & later
Beginning in vCenter 8u1 a validation check is observed in new deployments or attempting to replace custom certificates for a 'Certificate Key Usage' attribute.
If this Certificate KeyUsage attribute is not present the certificate will not be accepted as a valid CA & certificate replacement will fail
Present Certificate Key Usage attribute:
Missing Certificate Key Usage attribute:
Certificates must meet the minimum requirements as outlined in https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DE49FBF5-E24A-462B-91DC-C4284D93F654.html
Engage with your Custom CA to obtain a valid certificate with the required attributes present