Error Code 90023 While Renewing vCenter Server MACHINE_SSL_CERT Signed by Custom Certificate Authority

Products

VMware vCenter Server

Issue/Introduction

When attempting to renew or replace a MACHINE_SSL_CERT signed by a Custom Certificate Authority on a vCenter Server, the process fails during the backup phase. This results in a Native Platform Error (code 90023). The following error message is observed:

Native platform error [code: 90023] Adding VecsEntryType.CERT_ENTRY_TYPE_PRIVATE_KEY entry into store 'BACKUP_STORE' failed

The /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log file provides specific details regarding the failure:

[YYYY-MM-DDTHH:MM:SS][tomcat-exec-3 [] ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace opId=] TLS Certificate replacement failed : VecsException ouccured. Caught exceptionNative platform error [code: 90023][Native platform error [code: 90023][Adding VecsEntryType.CERT_ENTRY_TYPE_PRIVATE_KEY entry into store 'BACKUP_STORE' failed. [Server: __localhost__, User: __localuser__]]]

[YYYY-MM-DDTHH:MM:SS][pool-7-thread-1 [] INFO com.vmware.certificatemanagement.impl.telemetry.TelemetryData opId=] Attempting VAC stats push ....

[YYYY-MM-DDTHH:MM:SS][tomcat-exec-3 [] ERROR com.vmware.certificatemanagement.vapi.impl.TlsProviderImpl opId=] Exception was thrown while executing set:
java.lang.Exception: VecsException ouccured. Caught exceptionNative platform error [code: 90023][Native platform error [code: 90023][Adding VecsEntryType.CERT_ENTRY_TYPE_PRIVATE_KEY entry into store 'BACKUP_STORE' failed. [Server: __localhost__, User: __localuser__]]]

Environment

VMware vCenter Server 8.x

Cause

The error is triggered by a failure within the VMware Endpoint Certificate Store (VECS). Specifically, the system is unable to write the existing private key entry into the 'BACKUP_STORE'—a temporary storage location used to archive current certificates before replacement. This is often caused by existing expired Certificate Signing Requests (CSRs) blocking the entry, or inconsistencies between the private key and the certificate currently residing in the MACHINE_SSL_CERT store.

Resolution

Note: The following steps involve modifications to the certificate infrastructure and are irreversible. Ensure a fresh file-based backup or snapshots of the vCenter Server are created before proceeding. If the vCenter Server is part of an Enhanced Linked Mode (ELM) group, offline snapshots (powered-off) must be taken for all nodes in the ELM replication setup simultaneously. Restoring or rolling back must also be performed across all nodes to maintain replication integrity. For additional details on ELM snapshots, refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

1. Replace the MACHINE_SSL_CERT with a VMCA-Signed Certificate

Initial troubleshooting requires resetting the certificate to a known good state using the VMware Certificate Authority (VMCA). This can be performed via the vSphere Client UI or the vCert tool.

- vSphere UI Method: Follow the Steps to replace MACHINE_SSL_CERT using default VMCA.
- vCert Tool Method: Utilize the scripted replacement for expired or failing certificates as detailed in vCert - Scripted vCenter expired certificate replacement.

2. Clear Expired Certificate Signing Requests (CSR)

Stale entries in the VECS store can interfere with backup operations. Locate and remove any expired CSRs from the MACHINE_SSL_CERT VECS Store.

- Instructions for removal can be found in Delete an expired CSR from MACHINE_SSL_CERT VECS Store

3. Re-apply the Custom Certificate Authority (CA) Signed Certificate

Once the store is cleared and the certificate has been reset to default, the custom CA-signed certificate can be reapplied through the vSphere UI or the vCert tool.

- Refer to article "Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate" for the complete procedure on replacing certificates with Custom CA-signed versions.