Customers may encounter SSL Trust Mismatch errors when attempting to connect to ADFS LDAPS from their Virtual Center Server Appliance (VCSA). This issue is often due to an expired certificate or a mismatched trust anchor on the VCSA system.
They may observe the following error when attempting to update the certificate via CLI manually:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /fix/ssoamica.crt --chain
The command fails with an invalid parameter Error:
dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)
You may also observe the following error (despite the certificate being valid) when attempting to renew the ADFS cert via the UI in the Certificate Management > "Trusted Root Certificate" section:
"Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors. Error, create trusted root chain failed: Certificate bearing subject... is not a valid CA certificate. Please retry with a valid certificate chain"
VMware vSphere 7.x
VMware vSphere 8.x
The root cause of SSL Trust Mismatch errors is typically either an expired certificate or incorrectly configured chain elements. When these issues are present, attempts to add new root certificates via the UI will not resolve the problem because the underlying certificate chain remains incomplete or incorrect.
It may be due to an SSL Trust Anchor Mismatch as well (you may observe a similar error when using vCert).
Check ADFS LDAPS certificates
-----------------------------------------------------------------
Certificate 1 EXPIRED
Certificate 2 VALID
Checking SSL Trust Anchors
-----------------------------------------------------------------
<VCSA FQDN> MISMATCH
<VCSA FQDN> VALID
To resolve SSL Trust Mismatch errors caused by expired certificates and misconfigured trust anchors:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file1.crt --chain
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file2.crt --chain
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file3.crt --chain
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text