• Registering ESXi Host with Intel SGX Registration Server fails with "SGX registration succeeded but GET on PCK certs failed"
  
  
  
  
• Logs on vCenter Server (/var/log/vmware/vpxd/vpxd.log) will show similar to below snippets:

YYYY-MM-DDThh:mm:ss info vpxd[31970] [Originator@6876 sub=vpxLro opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [VpxLRO] -- BEGIN task-309 -- <ESXi IP> -- sgx.register.host-3086:36f81e9f-d1a5-485a-ae77-1d27c8f33a0d --
YYYY-MM-DDThh:mm:ss info vpxd[31970] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] Sgx step get
YYYY-MM-DDThh:mm:ss error vpxd[25018] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [VapiEsxJwtAuthenticationUpdater]Failed to get JWT token. Error:
--> Error:
-->  com.vmware.vapi.std.errors.unauthenticated
--> Messages:
-->  vapi.security.authentication.required<Authentication required>
-->
.
.
.
YYYY-MM-DDThh:mm:ss info vpxd[24731] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] Sgx step register: url = 'https://sbx.api.trustedservices.intel.com:443/sgx/registration/v1/platform'; Sgx pck cert: url = 'https://sbx.api.trustedservices.intel.com:443/sgx/certification/v4/pckcerts'; blob has 17950 bytes inside
.
.
YYYY-MM-DDThh:mm:ss info vpxd[24715] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [AsyncGetPCKCert] Sending request to "/external-ca/http1/sbx.api.trustedservices.intel.com/443/sgx/certification/v4/pckcerts"
YYYY-MM-DDThh:mm:ss info vpxd[24837] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [operator()], Response code: 401
YYYY-MM-DDThh:mm:ss error vpxd[24837] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [operator()] SGX GET PCK Certificate failed: status code = 401, error code = [unset], error message = [unset]
YYYY-MM-DDThh:mm:ss error vpxd[24837] [Originator@6876 sub=SgxHostRegistration.Impl opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] SGX registration succeeded but GET on PCK certs failed: N4Vpxd15SgxRegistration15SgxServiceErrorE(SGX get PCK certs failed: status code = 401, error code = [unset], error message = [unset])
--> [context]zKq7AVECAQAAAB68eQETdnB4ZAAAyzdIbGlidm1hY29yZS5zbwAArDA3AA9VOIFNISsCdnB4ZACBCUsrAgDA5DwAUAk9ALiIOwCH9zwAdPk8APMkOwCDKTsAH2I7AOSwOwAE/CwAD1UtAOsqRgLEkAhsaWJjLnNvLjYAAmyREA==[/context]
YYYY-MM-DDThh:mm:ss info vpxd[24837] [Originator@6876 sub=vpxLro opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [VpxLRO] -- FINISH task-309
YYYY-MM-DDThh:mm:ss error vpxd[24837] [Originator@6876 sub=Default opId=a56280b0-b6be-4f1e-bcac-df5e22123c4f-48-389a9255] [VpxLRO] -- ERROR task-309 -- -- <ESXi IP> -- sgx.register.host-3086:36f81e9f-d1a5-485a-ae77-1d27c8f33a0d: :vim.fault.InvalidHostState
--> Result:
--> (vim.fault.InvalidHostState) {
-->  faultCause = (vmodl.MethodFault) null,
-->  faultMessage = (vmodl.LocalizableMessage) [
-->    (vmodl.LocalizableMessage) {
-->     key = "com.vmware.vcenter.confidential_computing.sgx.pck_cert_response_error",
-->     arg = (vmodl.KeyAnyValue) [
-->       (vmodl.KeyAnyValue) {
-->        key = "details",
-->        value = "SGX registration succeeded but GET on PCK certs failed: N4Vpxd15SgxRegistration15SgxServiceErrorE(SGX get PCK certs failed: status code = 401, error code = [unset], error message = [unset])

• Logs on ESXi host (/var/run/log/esxtokend.log) will show similar to below snippets:

YYYY-MM-DDThh:mm:ss In(166) esxtokend[2102824]: [Originator@6876 sub=Http2ServerSession-4] Starting Http2Session (server): <io_obj t:N7Vmacore6System19TCPSocketObjectAsioE, h:13, <TCP '127.0.0.1 : 9199'>, <TCP '127.0.0.1 : 49719'>>
YYYY-MM-DDThh:mm:ss In(166) esxtokend[2102019]: [Originator@6876 sub=VapiHandler opID=9cc32a19-66ab-4e06-8dd7-596f2290db5a-70-4964e37e] Invoke-MethodId: com.vmware.esx.authentication.token.create
YYYY-MM-DDThh:mm:ss In(166) esxtokend[2102019]: [Originator@6876 sub=VapiHandler opID=9cc32a19-66ab-4e06-8dd7-596f2290db5a-70-4964e37e] Invoke-Input: {{ operation-input : { } }}
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2102019]: [Originator@6876 sub=SamlAuth opID=9cc32a19-66ab-4e06-8dd7-596f2290db5a-70-4964e37e] [AsyncSamlVerifierFilter] Invalid timestamp. RequestId: 1 Method:com.vmware.esx.authentication.token.create
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2102019]: [Originator@6876 sub=VapiHandler opID=9cc32a19-66ab-4e06-8dd7-596f2290db5a-70-4964e37e] MethodResult [FAIL] (MethodId:com.vmware.esx.authentication.token.create),Error:
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2100739]: -->com.vmware.vapi.std.errors.unauthenticated
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2100739]: --> Messages:
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2100739]: -->vapi.security.authentication.required<Authentication required>
YYYY-MM-DDThh:mm:ss Er(163) esxtokend[2100739]: -->
YYYY-MM-DDThh:mm:ss In(166) esxtokend[2100766]: [Originator@6876 sub=VapiHandler opID=9cc32a19-66ab-4e06-8dd7-596f2290db5a-70-4964e37e] Invoke-MethodId: com.vmware.esx.authentication.token.create

VCF 9.0
vCenter Server 8.x
vSphere ESXi 8.x 

The issue was caused by a time synchronization mismatch between the ESXi host and vCenter Server.

• Verify that both ESXi host and vCenter Server are synchronized to the correct time, preferably by configuring them to use the same reliable NTP/PTP server.
• After correcting any time drift, initiate SGX registration process again and monitor the task to confirm successful completion.