vCenter upgrade to 8.0 fails at precheck with "The certificate with subject 'cert_details' in VECS store KMS_ENCRYPTION has weak signature algorithm"
search cancel

vCenter upgrade to 8.0 fails at precheck with "The certificate with subject 'cert_details' in VECS store KMS_ENCRYPTION has weak signature algorithm"

book

Article ID: 411409

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter Server 8.0 upgrade attempt fails at precheck with error:

Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0. The certificate with subject '/C=##/O=##, ##./OU=See #####/OU=(c) ###, ###. - for authorized use only/CN=### - G3' in VECS store KMS_ENCRYPTION has weak signature algorithm sha1WithRSAEncryption.

 

Environment

VMware vCenter 8.x

Cause

vCenter Server has been configured with an external key provider using SHA1 encryption certificate. Since SHA1 support has been dropped 8.0 onwards, it is being flagged by the Upgrade precheck.

For more details refer VMware vSphere 8.0 Release Notes 

Resolution

To resolve this issue engage the KMS vendor and re-issue new SHA2 certificate and update the same on the vCenter:

  1. Log in to the vCenter Server with the vSphere Web Client and select the vCenter Server object in the inventory list.
  2. Click Configure and click Key Providers
  3. Select KMS instance used by vCenter.
  4. Select Establish Trust -> Make KMS Trust vCenter.
  5. Select option to use KMS certificate and private key.
  6. Paste KMS public certificate obtained from KMS server and KMS private key 

To workaround this issue,

  1. Add a new key provider with SHA256 cert or native key provider and set it to default
  2. Re-crypt the virtual machines with the new default key provider that have been encrypted using the old KMS server:
    1. Browse the inventory list and select the encrypted virtual machine.
    2. Right-click the encrypted virtual machine and select VM Policies.
    3. Select Re-encrypt and Click Yes.
  3. Delete the old KMS server:
    1. Goto Key Providers under the vCenter Server instance
    2. Select the standard key provider you want to delete.
    3. Click Delete, Read the warning message and slide the slider all the way to the right and Click Delete again

Post the above steps, continue with the vCenter Upgrade workflow.



Additional Information

Powered by Wolken Software