"Missing signing CA in TRUSTED_ROOTS", VDT on vCenter Server reports FAIL status for Certificate Trust Check.

search cancel

book

calendar_today

VMware vCenter Server

vCenter Server 7.0.x
vCenter Server 8.0.x

This issue is caused if the full certificate chain for a CA certificate is missing in the TRUSTED_ROOTS store on vCenter Server.
VDT verifies the availability of Certificate Issuer of each certificate under TRUSTED_ROOTS store, VDT log helps to identify the issuer details of the certificate and to check if the certificate is available in the VECS store.

vdt.log YYYY-MM-DDTHH:MM:SSUTC INFO VC VECS Check getCaTrustList: Getting CA trust list YYYY-MM-DDTHH:MM:SSUTC DEBUG VC Certificate Authority Check __init__: {'Thumbprint': '##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##', 'Version': 2, 'SignatureAlg': 'sha512WithRSAEncryption', 'Issuer': '<Certificate Issuer Subject>', 'Valid From': 'YYYY-MM-DD HH:MM:SS GMT', 'Valid Until': 'YYYY-MM-DD HH:MM:SS GMT', 'Subject': '<Certificate Subject>', 'subjectKeyIdentifier': '##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##', 'authorityKeyIdentifier': 'keyid:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##\n', 'keyUsage': 'Digital Signature, Certificate Sign, CRL Sign', 'extendedKeyUsage': 'Code Signing'} YYYY-MM-DDTHH:MM:SSUTC DEBUG VC Certificate Authority Check __init__: Checking certificate: <Certificate Subject> for problems

Add the missing Root CA certificate to vCenter Server by following the steps in Add a Trusted Root Certificate to the Certificate Store.

For example

If the missing CA Subject is "Entrust Code Signing Root Certification Authority – CSBR1":

thumb_up Yes

thumb_down No