After performing a cross domain repoint operation, Machine SSL certificate renew operation fails with the error: "The TLS certificate on this node is not VMCA generated and the renew operation is not supported for third party CA issued certificates"

This error can also occur if the cross domain repoint was done in the past.

Note: The cause and resolution in this article applies only if a cross domain repoint operation was performed on the vCenter Server.

For more information on the cross domain repoint operation, see Repoint vCenter Server to Another vCenter Server in a Different Domain

vCenter Server 6.7 and above.

After a cross domain repoint operation, vmafd-firstboot is executed again and a new VMCA certificate is created and the previous VMCA certificate is lost. Even though retained in the TRUSTED_ROOTS store, it will no longer be used as the VMCA to sign new certificates.

Due to the above behaviour, the renew API on the TLS certificate will error out.

Currently, there is no resolution.

Workaround:

To resolve this issue, create a new TLS certificate signed by the new VMCA signing certificate.

Login to the UI as administrator and then navigate to
Menu -> Administration-> Certificate Management -> MACHINE_SSL_CERT Tab Actions -> Import and replace certificate -> Replace with VMCA (1st option)