Customers may encounter SSL Trust Mismatch errors when attempting to connect to ADFS LDAPS from their Virtual Center Server Appliance (VCSA). This issue is often due to an expired certificate or a mismatched trust anchor on the VCSA system.

They may observe the following error when attempting to update the certificate via CLI manually:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /fix/ssoamica.crt --chain

The command fails with an invalid parameter Error:

dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)

You may also observe the following error (despite the certificate being valid) when attempting to renew the ADFS cert via the UI in the Certificate Management > "Trusted Root Certificate" section:

"Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors. Error, create trusted root chain failed: Certificate bearing subject... is not a valid CA certificate. Please retry with a valid certificate chain"

VMware vSphere 7.x

VMware vSphere 8.x

The root cause of SSL Trust Mismatch errors is typically either an expired certificate or incorrectly configured chain elements. When these issues are present, attempts to add new root certificates via the UI will not resolve the problem because the underlying certificate chain remains incomplete or incorrect.

It may be due to an SSL Trust Anchor Mismatch as well (you may observe a similar error when using vCert).

Check ADFS LDAPS certificates
-----------------------------------------------------------------
Certificate 1                                             EXPIRED
Certificate 2                                               VALID

Checking SSL Trust Anchors
-----------------------------------------------------------------
<VCSA FQDN>                                       MISMATCH
<VCSA FQDN>                                          VALID

To resolve SSL Trust Mismatch errors caused by expired certificates and misconfigured trust anchors:

1. Download Certificates : Manually download each certificate in the trusted CA chain as a Base64 .crt file.
2. Publish Certificates on VCSA : Use the following commands to publish the certificates:

   1. /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file1.crt --chain
      /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file2.crt --chain
      /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file3.crt --chain

3. Force Refresh : After publishing the certificates, force a refresh to ensure the system recognizes the new trusted certificates:

   1. /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

• Ensure that each certificate is downloaded in the correct order and contains all necessary intermediate certificates.
• Verify that the chain elements are correctly installed by listing the entries under the trusted roots store:

  • /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text