Performing a certificate status check using vCert results in a NO PNID status for the machine SSL certificate

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

When using the vCert utility to perform a certificate status check on a vCenter Server Appliance, the check returns a NO PNID value for the machine SSL.

Checking Machine SSL certificate NO PNID

Environment

vCenter 7.x
vCenter 8.x

Cause

vCert will issue this warning if the PNID isn't present in the Subject Alternative Name field of the machine SSL certificate or is in the wrong case.

Resolution

Take an offline snapshot of the VCSA and any VCSAs in ELM prior to making any changes to the VCSA configuration.

If using VMware Certificate Authority to issue certificates, regenerate the VCSA machine SSL using vCert. An example of using vCert with the most common options for regenerating the VMCA signed certificates is below, but in certain cases other values may be required:

# cd vCert-6.0.1-20250516
# python vCert.py

------------------------!!! Attention !!!------------------------

This script is intended to be used at the direction of Broadcom Global Support.

Changes made could render this system inoperable. Please ensure you have a valid
VAMI-based backup or offline snapshots of ALL vCenter/PSC nodes in the SSO domain
before continuing. Please refer to the following Knowledge Base article:
https://knowledge.broadcom.com/external/article?legacyId=85662

Do you acknowledge the risks and wish to continue? [y/n]:

VCF/VVF Certificate Management Utility (version 6.0.1)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit

Select an option [1]: 6

Please enter a Single Sign-On administrator account [[email protected]]:
Please provide the password for [email protected]:

Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):

Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Machine SSL certificate OK
Backing up Machine SSL certificate and private key OK
Updating MACHINE_SSL_CERT certificate OK

Replace Solution User Certificates
-----------------------------------------------------------------
Verifying Service Principal entries exist OK
Generate new certificates and keys:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK

Backup certificate and private key:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK

Updating certificates and keys in VECS:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK

Updating solution user certificates in VMware Directory:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK

Update vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) UPDATED
com.vmware.vim.eam (vpxd-extension) UPDATED
com.vmware.vlcm.client (vpxd-extension) UPDATED
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) UPDATED

Replace SSO STS Signing Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate STS signing SSL certificate OK
Backup and delete tenant credentials OK
Backup and delete trusted cert chains OK
Add new STS signing certificate to VMDir OK

Update SSL Trust Anchors
-----------------------------------------------------------------
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updated 44 service(s)

Restart VMware services [N]: y

Restarting Services
-----------------------------------------------------------------
Stopping VMware services OK
Starting VMware services OK

VCF/VVF Certificate Management Utility (version 6.0.1)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit

Select an option [1]: E

For information on using vCert to replace a VCSA machine SSL certificate issued by a custom certificate authority, refer to the documentation for vCert.

Additional Information

vCert - expired certificate replacement script
Error: "Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name" while replacing vCenter Server Machine SSL Certificate