Renewing the vCenter certificate failed with error "[CERTIFICATE] Replace cert Failed: Certificate not found for given ID (Private Key not found in VECS store)"
Article ID: 407840
Updated On:
Products
Issue/Introduction
While attempting to replace the certificate using the option “Replace with external CA certificate (requires private keys)”, the operation failed with the following error:
[CERTIFICATE] Replace cert Failed: Certificate not found for given ID (Private Key not found in VECS store)
Environment
-
VMware vCenter Server 7.x
-
VMware vCenter Server 8.x
Cause
This issue occurs if there is a problem with the certificate chain, such as a missing certificate in the chain or any extra spaces within the certificate file.
Resolution
Note: Please take an offline snapshot if the vCenter is in linked mode, or an online snapshot if the vCenter is standalone.
- Open the certificate which received from the authority.
- In the wizard, select "Base-64 encoded X.509 (.CER)" as the export file format.
- Example :
1. Export Certificates:
Export the certificate files individually — Root, Intermediate, and SSL — from the certificate path provided by the certificate authority. Save each file with the .cer extension.
2. Create the Machine Certificate:
-
-
Open each certificate in a text editor (e.g., Notepad).
-
Merge the certificates in the following order: SSL → Intermediate → Root.
-
Ensure there are no extra spaces between the certificates.
-
Save the merged file with the
.cerextension. This will serve as the Machine Certificate.
-
3. Create the Chain Certificate:
-
-
Open the Intermediate and Root certificates in a text editor.
-
Merge the certificates in the following order: Intermediate → Root.
-
Save the merged file with the
.cerextension. This will serve as the Chain Certificate.
-
4. Replace Certificate via UI:
-
-
From the vCenter UI, select: “Replace with external CA certificate (requires private keys)”.
-
Upload the Machine Certificate and Chain Certificate created above.
-
Feedback
