Unable to push CA certificates and CRLs to host: Certificate uses weak RSA/DSA pkey (length=1024)
search cancel

Unable to push CA certificates and CRLs to host: Certificate uses weak RSA/DSA pkey (length=1024)

book

Article ID: 379387

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

 

  • After upgrading to vCenter Server 8.0.3, HA enabled clusters fail to configure, and only the primary HA host remains active. 
  • HA enabled clusters start to show the following warning:
    Insufficient configured resources to satisfy the desired vSphere HA failover level on the cluster
  • Updating the CA certs on a ESXi host(s) will fail
    • "A general system error occurred: Unable to push CA certificates and CRLs to host"
  • Messages in hostd.log indicate

    Hostd[2098945]: [Originator@6876 sub=Vimsvc.TaskManager opID=WorkQueue-########-#### sid=######## user=vpxuser] Task Created : haTask--vim.host.CertificateManager.replaceCACertificatesAndCRLs-2111

    Hostd[2098952]: [Originator@6876 sub=Libs opID=WorkQueue-########-#### sid=######## user=vpxuser] SSL_CheckKeySizeAndAlgorithm: Certificate for '' uses weak RSA/DSA pkey (length=1024)

    Hostd[2098952]: [Originator@6876 sub=Vimsvc.CertMgr opID=WorkQueue-########-#### sid=########  user=vpxuser] ReplaceCACertificatesAndCRLs failed with error: N3Vim3Ssl18CertStoreExceptionE(Weak digest algorithm/pkey used)

 

Environment

vCenter Server 8.0 U3

Cause

This is caused by a change to vSphere HA in version 8.0U3 which now validates the certificates used.

Resolution

In addition to needing certs that are SHA256, the key for the cert must be 2048 or higher. Regenerate and remove any cert in vCenter Trusted_Roots store with a key that uses a weak digest algorithm/pkey of 1024.

List the certs in Trusted_Roots with vecs-cli: /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

Remove the certificate from Trusted_Roots by following: Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

 

 

 

Additional Information

WARNING:

  • Proceed with EXTREME CAUTION. If the wrong Certificate is un-published and removed from VECS, this can damage the environment which can be irreparable.
  • Be absolutely certain that the Certificate you are removing is the correct Certificate to remove.
  • Validate the root certificate which is about to expire is renewed and all certificates from this root certificate are also renewed/replaced before un-publishing.
Mandatory precaution:
  • Ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off. 
  • Snapshot revert (If required to recover from a damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.
Powered by Wolken Software