• Machine SSL certificate replacement with a custom certificate fails on the vCenter.
• When trying to publish the root CA certificate to a trusted root store, it throws an error 
  • # /usr/lib/vmware-vmafd/bin/dir-cli trusted cert publish --cert root.cer
  • Error:
    • The following certificate bearing subject [C=, ST=, L=, O=, OU=, CN=], is not a valid CA certificate
    • You can only publish a chain of valid CA certificates
    • dir-cli failed. Error 1023: Invalid CA certificate 

• vCenter 8.x
• vCenter 7.x

• If the root CA certificate does not have Key Usage field in it, the vCenter will not identify it as a valid CA certificate.
• Key Usage in a certificate defines the specific purposes for which the public key contained in the certificate can be used. This is a crucial extension in X.509 certificates that ensures proper use of the certificate in cryptographic operations.
• For a root CA certificate, If the Key Usage field is missing or does not include Certificate Sign, the certificate will not be considered valid as a root CA certificate because it cannot be used to sign other certificates, which is its primary role.
• Note:
  • vCenter 7.x older versions were able to bypass this check, hence it can happen that an old root certificate without the Key Usage field is working on a 7.x vCenter.

Obtain a Root CA certificate that includes the Key Usage extension.

Refer: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-authentication-8-0/vsphere-security-certificates-authentication/certificate-requirements-for-different-solution-paths-authentication.html