• Using certificate manager to replace an Machine SSL certificate with a new custom, CA signed certificate fails with below error message:

  • Error: Subject Alternate Name (SAN) field does not contain the PNID. Please provide a valid certificate

    Status : 0% Completed [Operation failed, performing automatic rollback]

• In the certificate-manager.log file, we will see entries similar to:

  • YYYY-MM-DDTHH:MM:SS INFO  certificate-manager  Running command : ['/usr/lib/vmware-vmafd/bin/vmafd-cli', 'get-pnid', '--server-name', 'localhost']
    YYYY-MM-DDTHH:MM:SS INFO  certificate-manager  Output : <correct PNID of vCenter>

    YYYY-MM-DDTHH:MM:SS ERROR certificate-manager  Error: Subject Alternate Name (SAN) field does not contain the PNID. Please provide a valid certificate
    YYYY-MM-DDTHH:MM:SS ERROR certificate-manager  Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

• VMware vCenter 7.x
• VMware vCenter 8.x
• VMware vCenter 9.x

The SSL certificate you are attempting to use does not include the PNID (FQDN) of the vCenter server in its SAN field. vCenter validates that the PNID must be present in the SAN to ensure the certificate is valid for its configured hostname.

Regenerate the CSR using the correct PNID is the Hostname field for certificate manager.

Note: Multiple hostnames(comma-separated) can be entered, however the PNID of vCenter must be present in the hostnames.