If the parent certificate was created as a non-federated certificate, i.e. root CA or intermediate CA, importing/creating a federated child certificate, i.e. application certificate or intermediate CA, will fail with the following error:

 {"error":"Parent-child namespace compatibility issue, both the objects should either be federated or non-federated. Parent object <certificate name> is federated, child object <certificate name> is non-federated."}

This error occurs even if you have a non-federated and federated parent certificate object created on the controller.

Affects Version(s):

22.1.1 - 22.1 1-2p6

22.1.2 - 22.1.2-2p7

22.1.3 - 22.1.3-2p14

22.1.4 - 22.1.4-2p7

22.1.5 - 22.1.5-2p8

22.1.6 - 22.1.6-2p8

22.1.7 - 22.1.7-2p7

30.1.1

30.1.2 - 30.1.2-2p2

30.2.1 - 30.2.1-2p5

30.2.2 - 30.2.2-2p5

30.2.3 - 30.2.3-2p2

31.1.1 - 31.1.1-2p2

This a day one issue with the VMware Avi Load Balancer product where the is_federated flag is not considered during certificate chaining when importing/creating the certificate object.

The fix for this issue will be included in the next GA releases of the VMware Avi Load Balancer product. 

Please review the product release notes to look for the bug id below:

Bug ID: AV-237693

Description: Importing a certificate fails with an error related to namespace compatibility between parent and child objects.

Link to Product Documentation: VMware Avi Load Balancer

Workaround(s): 

At this time there are no non-disruptive workarounds as the entire certificate chain has to be removed and recreated with the is_federated flag enabled upon certificate object creation.

If the certificate chain will be used for GSLB please ensure to import/create all certificate objects with the is_federated flag enabled/check box checked.