x509v3 extension "Subject Key Identifier" is missing when the Machine SSL Certificate is renewed via Certificate Management UI
search cancel

x509v3 extension "Subject Key Identifier" is missing when the Machine SSL Certificate is renewed via Certificate Management UI

book

Article ID: 383813

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Navigate to vCenter UI -> Administration -> Certificate Management -> Machine SSL Certificate -> Actions -> Renew

The new certificate has the below x509 extensions. The "X509v3 Subject Key Identifier" extension is missing

X509v3 extensions:
   X509v3 Subject Alternative Name:
        DNS:vc.test.local
   X509v3 Key Usage:
        Digital Signature, Key Encipherment, Key Agreement
   X509v3 Authority Key Identifier:
        keyid:9E:51:8A:25:B4:F6:17:FE:23:11:F4:59:A4:0C:7B:93:73:1A:A6:1C

Environment

vCenter 7.x
vCenter 8.x

Resolution

Broadcom engineering Team is aware of the issue and would be fixed in future version.

Workaround:

Navigate to vCenter UI -> Administration -> Certificate Management -> Machine SSL Certificate -> Actions -> Import and Replace Certificate -> Replace with VMCA certificate

refer to - https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/renew-all-certificates-from-the-psc-web-interface.html