When attempting to upload a certificate chain to NSX, the following error message is observed:

Certificate chain validation failed. Make sure a valid chain is provided in order leaf, intermediate, root certificate (Error code:2076).

• The upload fails even when all certificates are present.

• The error persists if the certificates are not in the required order.

• Users may mistakenly believe the chain is valid because it includes the necessary certificates.

VMware NSX

This error occurs because the certificate chain is not provided in the correct order: leaf certificate, followed by intermediate certificate(s), and finally the root certificate. 

1. Open each certificate file.
   
   -You can do this by opening the certificate in a text editor.

2. Find the one with Issued To: yourserver.example.com. That's the leaf.

3. Find the cert that matches the Issued By of the leaf. That's the intermediate.

4. Find the cert where Issued To and Issued By are the same. That's the root.

5. Put them together in this order:

   • Leaf

   • Intermediate

   • Root

6. Save the combined file as fullchain.pem or similar.

7. Upload it to your system.

Correct order Example:

-----BEGIN CERTIFICATE-----
(Leaf certificate)
Issued To: myserver.company.com
Issued By: Intermediate CA 1
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Intermediate certificate)
Issued To: Intermediate CA 1
Issued By: Root CA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Root certificate)
Issued To: Root CA
Issued By: Root CA (self-signed)
-----END CERTIFICATE-----

This order ensures that each certificate in the chain is verifiable by the one that follows it.

• The "Issued By" field of the leaf certificate must match the "Issued To" of the intermediate certificate that follows it.

• This continues upward until reaching the root certificate, which is self signed meaning its "Issued To" and "Issued By" fields are the same.