Unable to add vCenter in Usage Meter
Article ID: 380245
Updated On:
Products
Issue/Introduction
Unable to add vCenter in Usage Meter. Error: Connection error for xxxx.xxxx.xxx: certificate_unknown(46) error.
Environment
Usage Meter 4.8
Cause
OpenSSL verification of the vCenter certificate failed when retrieved using the following command
openssl s_client -showcerts -connect vCenter_fqdn:443.
NOTE: The issuer of the intermediate certificate must be the same as the subject of the root certificate.
Intermediate certificate:
0 s:C = x, ST = x, L = x, O = x, OU = x, CN = x
i:DC = x, DC = x, DC = x, DC = x, CN = x
Root certificate:
1 s:C = xx, O = xx, CN = xx
i:C = xx, O = xx, CN = xx
The issuer of the intermediate certificate
i:DC = x, DC = x, DC = x, DC = x, CN = x
Does not match the subject of the root certificate:
s:C = xx, O = xx, CN = xx
Resolution
Regenerate the vCenter certificate chain in order to adequately add the vCenter instance for metering in the Usage Meter.
Additional Information
Specifically:
When validating a certificate chain, each certificate must be checked to ensure that the issuer field of the current certificate matches the subject field of its parent certificate. Any mismatch indicates an invalid chain of trust.
The issuer field in a certificate identifies the entity that signed and issued the certificate. This must align with the subject field of the certificate immediately preceding it in the chain.
The root certificate (the trust anchor) must self-sign and serve as the starting point for verification. All subsequent certificates must create an unbroken chain of trust back to the root.
(RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile
See Sections 4.1 and 6.1 for details on certificate chain validation. - https://datatracker.ietf.org/doc/html/rfc5280)
Feedback
