The Endorsement Key Certificate does not match Trusted Platform Module
Article ID: 412649
Updated On:
Products
VMware vCenter Server
Issue/Introduction
When replacing vTPM Certificates for a virtual machine, the vSphere Client reports the error, The Endorsement Key Certificate does not match Trusted Platform Module
ESXi hostd logs report the error, "Set EK certificate message: The Endorsement Key Certificate does not match Trusted Platform Module"
Log file: /var/log/hostd.log
YYYY-MM-DDTHH:MM:19.947Z Db(167) Hostd[2000000]: [Originator@6876 sub=Vigor.Vmsvc.vm:/vmfs/volumes/UUID/VM/VM.vmx opID=xxxx-1234-auto-xxx-h5:11111 sid=111111 user=vpxuser:username] Set EK certificate message: The Endorsement Key Certificate does not match Trusted Platform Module.
Environment
vCenter Server 7.x and 8.x
Cause
The CA signed certificate has not been issued for the Certificate Signing Request that was generated for the VM.
Resolution
Validate the CA Signed certificate against the CSR on the VM
- Download the CSR using the vSphere Client
vSphere Inventory -> VM -> Configure -> TPM -> Signing Requests -> Select each Type and export the CSR.
For eg. filename: sha256WithRSAEncryption.csr - Use openssl on the vCenter Server appliance to check the public key in the exported CSR file.
Check public key in the CSR: $ openssl req -in sha256WithRSAEncryption.csr -pubkey -text -----BEGIN PUBLIC KEY----- Random string== -----END PUBLIC KEY----- .... - Use openssl to extract the public key from the CA signed certificate.
Extract public key from the CA signed certificate. $ openssl x509 -in CASignedCert.cer -noout -pubkey -text -----BEGIN PUBLIC KEY----- Random string== -----END PUBLIC KEY----- .... - The public key in the CSR and the CA signed certificate should match. If they do not match, use the exported CSR to request a new certificate from the CA.
Additional Information
Feedback
Yes
No
Powered by
