Unable to add vCenter in Usage Meter
search cancel

Unable to add vCenter in Usage Meter

book

Article ID: 380245

calendar_today

Updated On:

Products

VMware Usage Meter

Issue/Introduction

Unable to add vCenter in Usage Meter. Error: Connection error for xxxx.xxxx.xxx: certificate_unknown(46) error.

Environment

Usage Meter 4.8

Cause

OpenSSL verification of the vCenter certificate failed when retrieved using the following command

openssl s_client -showcerts -connect  vCenter_fqdn:443.

NOTE: The issuer of the intermediate certificate must be the same as the subject of the root certificate.

Intermediate certificate:
0 s:C = x, ST = x, L = x, O = x, OU = x, CN = x
  i:DC = x, DC = x, DC = x, DC = x, CN = x

Root certificate:
1 s:C = xx, O = xx, CN = xx
  i:C = xx, O = xx, CN = xx

The issuer of the intermediate certificate
i:DC = x, DC = x, DC = x, DC = x, CN = x

Does not match the subject of the root certificate:
s:C = xx, O = xx, CN = xx

Resolution

Regenerate the vCenter certificate chain in order to adequately add the vCenter instance for metering in the Usage Meter.

Additional Information

UM strictly follows RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
Specifically:

Section 6.1.3 (Basic Certificate Processing):
When validating a certificate chain, each certificate must be checked to ensure that the issuer field of the current certificate matches the subject field of its parent certificate. Any mismatch indicates an invalid chain of trust.
 
Section 4.1.2.4 (Issuer Name):
The issuer field in a certificate identifies the entity that signed and issued the certificate. This must align with the subject field of the certificate immediately preceding it in the chain.
 
General Trust Validation Requirements:
The root certificate (the trust anchor) must self-sign and serve as the starting point for verification. All subsequent certificates must create an unbroken chain of trust back to the root.

(RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile
See Sections 4.1 and 6.1 for details on certificate chain validation. - https://datatracker.ietf.org/doc/html/rfc5280)