x509v3 extension "Subject Key Identifier" is missing when the Machine SSL Certificate is renewed via Certificate Management UI

search cancel

x509v3 extension "Subject Key Identifier" is missing when the Machine SSL Certificate is renewed via Certificate Management UI

book

Article ID: 383813

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter UI > Administration > Certificate Management > Machine SSL Certificate > Actions > Renew created new certificate with x509 extensions.
The "X509v3 Subject Key Identifier" extension is missing:

X509v3 extensions:
   X509v3 Subject Alternative Name:
        DNS:vc.test.local
   X509v3 Key Usage:
        Digital Signature, Key Encipherment, Key Agreement
   X509v3 Authority Key Identifier:
        keyid:9E:51:8A:25:B4:F6:17:FE:23:11:F4:59:A4:0C:7B:93:73:1A:A6:1C

VDT error :

__MACHINE_CERT

[PASS] Certificate Algorithm Check
[FAIL] Certificate Trust Check
This certificate does not have a subject key identifier (not compliant with RFC 5280)!
Documentation: See https://knowledge.broadcom.com/external/article?articleNumber=383813

Environment

7.x, 7.0.3, 7.0U3i, 8.x

Resolution

Resolved in vCenter Server 8.0 Update 3e.

For more information see as mentioned in the VMware vCenter Server 8.0 Update 3e Release Notes.

Workaround:

Replace certificate before upgrading from 7.x to 8.x

Navigate to vCenter UI -> Administration > Certificate Management > Machine SSL Certificate > Actions > Import and Replace Certificate > Replace with VMCA certificate
See Renew VMCA Certificates with New VMCA-Signed Certificates Using the vSphere Client

Feedback

thumb_up Yes

thumb_down No