VASA Provider (VP) registration fails when the Subject Alternative Name in the certificate has multiple entries
search cancel

VASA Provider (VP) registration fails when the Subject Alternative Name in the certificate has multiple entries

book

Article ID: 397640

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • VASA Provider registration fails when Subject Alternative Name (SAN) in the Certificate Signing Request (CSR) has multiple entries e.g. if the CSR has two 2 IP addresses, especially  when the IPv4 address is followed by the IPv6 address.

Note: The VP registration will work when the IPv6 address is followed by the IPv4 address

  • VMware vCenter Server 8.x and later can fail registration of the VASA Provider due to unsupported certificate signing request with provider certificate signing failed error.
  • You may see below error in VASA Provider log:

com.vmware.vim.sms.provider.vasa.cert.CertificateAuthority - Timer stopped: getCAsignedCertificateInt, Time taken: 25 ms.com.vmware.vim.sms.provider.vasa.cert.CertificateAuthority - Failed to get a VMCA signed certificate for CSR. Error : 70069, Message : VMCA_ERROR_SAN_IPADDR_INVALIDcom.vmware.vim.sms.provider.vasa.VasaProviderImpl - [init] Provider creation failed while getting a certificate :com.vmware.vim.sms.fault.CertificateException: Failed to get a VMCA signed certificate for CSR. Error: 70069, Message: VMCA_ERROR_SAN_IPADDR_INVALID

Environment

VMware vCenter Server 8.x and later

Cause

  • VMware vCenter Server does not support certificate signing requests (CSRs) that include  SAN (Subject Alternative Name) with multiple entries.
  • Different versions of the vCenter Server have specific limitations on the SAN fields that can be included in a CSR. The following outlines the officially supported SAN configurations in CSRs for different vCenter versions:
  1. vCenter versions prior to 9.0: The CSR’s SAN field can contain one IPv4 address, one DNS name, and one IPv6 address (IPv6 address followed by the IPv4 address).
  2. vCenter 9.0 and later: The CSR’s SAN field can include one IPv4 address, two DNS names, and one IPv6 address (IPv6 address followed by the IPv4 address)

Additional constraints apply when the VASA Provider is registered with DNS and when VASA 5 is in use, which can potentially lead to VASA Provider registration failure.

Resolution

To avoid the issue, CSRs should be generated keeping the above SAN constraints for different vCenter server versions in mind regarding IP addresses and DNS names

 

Additional Information

Powered by Wolken Software