VDT on vCenter server reports a FAIL status for Certificate Trust Check with error This certificate does not have a subject key identifier (not compliant with RFC 5280) !
Article ID: 393448
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- Executing VDT on vCenter reports a FAIL status as below for Machine SSL and ROOT CA check - Refer Using the VCF Diagnostic Tool for vSphere (VDT)
Certificate Trust Check This certificate does not have a subject key identifier (not compliant with RFC 5280) ! - Renewing vCenter certificate using certificate-manager utility do not resolve the failure with ROOT CA Check on VDT report.
- Checking trusted roots in vCenter with below command shows the certificate without the Subject Key Identifier
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --textSample
Alias : 49cc#####################f7326e4 Entry type : Trusted Cert Certificate: Data: Version: 3 (0x2) Serial Number: c9:##:##:##:##:##:##:5b Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CA, CN=vcenter01, dc=vsphere,dc=local, C=US Validity Not Before: Apr 20 23:44:33 2016 GMT Not After : Apr 18 23:44:33 2026 GMT Subject: CN=CA, CN=vcenter01, dc=vsphere,dc=local, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption
Cause
Stale certificate in vCenter TRUSTED_ROOTS with no Subject Key Identifier.
Resolution
To resolve the issue follow the steps in KB Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
Feedback
Yes
No
Powered by
