Replacing custom Machine SSL cert fails with 'not a valid CA Certificate'
search cancel

Replacing custom Machine SSL cert fails with 'not a valid CA Certificate'

book

Article ID: 376867

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Any attempts to publish a custom Machine SSL certificate in vCenter release 8u1 or later fails

CLI - Immediately fails0% failing to publish root certificate

vSphere UI - Internal Server Error




/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

YYYY-MM-DDTHH:mm-ss [tomcat-exec-6 [] WARN  com.vmware.vapi.internal.bindings.ApiMethodSkeleton  opId=] Implementation method reported unexpected exception: com.vmware.vapi.std.errors.Error
com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.certificatemanagement.error,
    defaultMessage = Internal Server Error (Certificate bearing subject <CERTIFICATE_SUBJECT_INFO> is not a valid CA certificate. Please retry with a valid certificate chain),
    args = [Certificate bearing subject <CERTIFICATE_SUBJECT_INFO>
 is not a valid CA certificate. Please retry with a valid certificate chain],
    params = <null>,
    localized = <null>
}],
    data = <null>,
    errorType = ERROR

Environment

vCenter 8u1 & later

Cause

Beginning in vCenter 8u1 a validation check is observed in new deployments or attempting to replace custom certificates for a 'Certificate Key Usage' attribute.


If this Certificate KeyUsage attribute is not present the certificate will not be accepted as a valid CA & certificate replacement will fail


Present Certificate Key Usage attribute:



 Missing Certificate Key Usage attribute:





Resolution

Certificates must meet the minimum requirements as outlined in https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DE49FBF5-E24A-462B-91DC-C4284D93F654.html

Engage with your Custom CA to obtain a valid certificate with the required attributes present