Data-encipherment certificate showing as "NOT FOUND" after vCert script check is run on vCenter Server
search cancel

Data-encipherment certificate showing as "NOT FOUND" after vCert script check is run on vCenter Server

book

Article ID: 402607

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

 

Checking Certificate Status
-----------------------------------------------------------------
Checking Machine SSL certificate                            VALID
Checking Solution User certificates:
   machine                                                  VALID
   vsphere-webclient                                        VALID
   vpxd                                                     VALID
   vpxd-extension                                           VALID
   hvc                                                      VALID
   wcp                                                      VALID
Checking SMS self-signed certificate                        VALID
Checking SMS VMCA-signed certificate                        VALID
Checking data-encipherment certificate                  NOT FOUND
Checking Authentication Proxy certificate                   VALID

 

 

Taking backup of old certificate and private key to /tmp directory
vecs-cli failed. Error 4312: Possible errors:
LDAP error: Unknown (extension) error
Win Error: Operation failed with error ERROR_OBJECT_NOT_FOUND (4312)
vecs-cli failed. Error 4312: Possible errors:
LDAP error: Unknown (extension) error
Win Error: Operation failed with error ERROR_OBJECT_NOT_FOUND (4312)

Deleting the existing certificate from the VECS store
Deleted entry with alias [data-encipherment] in store [data-encipherment] successfully

Generating new certificate using the existing private key and add to the VECS store
Status : Failed
Error Code : 2
Error Message : Operation failed with error = ERROR_FILE_NOT_FOUND (2)

Environment

vCenter Server 7.0 

vCenter Server 8.0 

Cause

Data-encipherment store is present, however no certificate is present and due to this the below script or manual steps cannot be used to renew/generate certificate. 

 

Resolution

Below are manual steps to create a data-encipherment certificate

 

**Please ensure valid snapshots/backups completed before baking any changes (Offline snapshots of vCenter Servers in Enhanced Linked Mode)

Log into vCenter Server through SSH and root user and run shell

 

1. Create private and public key pairs:

/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --pubkey=/etc/vmware-vpx/ssl/data-encipherment.pub

2. Create certfile for data encipherment: (Replace FQDN with your machine Fully Qualified Domain Name):

/usr/lib/vmware-vmca/bin/certool --server=FQDN --genCIScert --dataencipherment --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --cert=/etc/vmware-vpx/ssl/data-encipherment.crt --Name=data-encipherment --FQDN=FQDN

3. Restart all services:

service-control --stop --all && service-control --start --all 

4. Verify if new cert is located in VECS store with:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment --text | less

 

Powered by Wolken Software