• To resolve the issue, generate a valid certificate chain that includes all or some of these, the leaf (end-entity), intermediate, and root certificates, and then reconfigure the LDAPS identity source in vCenter.

• For detailed instructions on extracting and configuring the certificate, refer to the KB article:  “Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS)”

• Once the certificate is saved as a .cer file, verify the chain using the Windows Certificate Viewer:

1. 1. Locate the .cer file in File Explorer.

   2. Double-click the file to open the Certificate Viewer.

   3. Go to the Certification Path tab to view the full chain of trust, from the leaf certificate up to the root CA. 

   4. Locate the certificate with Issued To: yourserver.example.com — this is the leaf certificate.

      Next, identify the certificate whose Issued To value matches the Issued By of the leaf certificate — this is the intermediate certificate.

      Finally, find the certificate where the Issued To and Issued By fields are identical — this represents the root certificate.

   5. Export each certificate and save the certificate in the below order,

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters>       <----- Leaf Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters>       <----- Intermediate Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters>       <----- Root Certificate

-----END CERTIFICATE-----

NOTE: If multiple intermediate certificates exist, include all intermediates in sequence above the Root certificate and below the leaf certificate

• Continue with LDAPS configuration using the updated certificate.