vCenter 8.0 upgrade fails with the below error message:

Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0. The certificate with subject '/O=VMware/CN=SMS-XXXX' in VECS store SMS has weak signature algorithm sha1WithRSAEncryption.

VMware vCenter 8.x

The issue occurs because the SMS certificate used for communication with IOFilter VASA Providers is signed using the deprecated SHA1 algorithm (sha1WithRSAEncryption). vCenter 8.0 no longer supports certificates with weak signature algorithms like SHA1.

For more details please refer KB 313460

This can be verified by validating the output from the below given command to list the certificates in VECS:

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo $i >>/var/core/VECSStoreFile_list; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text >> /var/core/VECSStoreFile_list ; done;

We need to look for the below section in the output to check which is the "Signature Algorithm" in use:

SMS
Number of entries in store :    2
Alias :    sms_self_signed
Entry type :    Private Key
Certificate:
    Data:
        Version: XX
        Serial Number: XXXX
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=VMware, CN=SMS-XXX

if the VASA providers are in an Online status, only the below 3 steps needs to be performed. If they're Offline, we may need to perform additional steps to unregister and re-register them. For detailed steps on this process, refer to the KB article 318150

Before proceeding, kindly take snapshot and/or backup of the vCenter VM. In case of ELM, kindly ensure that offline snapshot of all nodes in the SSO domain are present. 

1. Stop the Storage Provider Service by running the following command: service-control --stop vmware-sps
2. Delete the existing SMS self-signed certificate from VECS by running the command:
   /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store sms --alias sms_self_signed
3. Restart the Storage Provider Service: service-control --start vmware-sps

After this, wait for the SPS service to initialize and achieve a health status of GREEN. This process may take some time. 

This will regenerate the SMS self-signed certificate with the sha256WithRSAEncryption signing algorithm. The new certificate will no longer use the insecure SHA1 algorithm.

Note: Regenerating the certificate will cause all storage providers to go offline temporarily, as the new certificate will not be trusted until it is re-registered. This can affect communication with VASA providers during this period. However, there is no functional impact unless VVOLs are in use within the environment.