When attempting to add a Standard Key Provider to vCenter Server using the vSphere Client, the operation fails with the error: Vim.fault.DatabaseError.

This issue occurs when the certificate provided does not meet the required standards for vCenter Server, starting with vCenter 8.0 Update 1c.

vCenter Server 8.0 Update 1c and later

Starting with vCenter 8.0 Update 1c, vCenter Server enforces stricter certificate requirements for cryptographic operations. Only RSA certificates with SHA-2 digital signature algorithms are supported. Certificates using unsupported algorithms will result in the failure of the operation.

In the vmafdd.log file, the following error is record

[ERROR] Certificate uses an unsupported signature algorithm (NID=ecdsa-with-SHA256). Only SHA-2 RSA algorithms are supported on the vCenter Server.  

This indicates that the provided certificate does not use an RSA algorithm with SHA-2 compliance

To resolve the issue:

1. Ensure that the certificate being used for the Standard Key Provider or KMS configuration is an RSA certificate with a SHA-2 digital signature algorithm.
2. Replace any existing certificates that use unsupported algorithms.
3. Retry adding the Standard Key Provider to vCenter Server.

Security Features Issues