• Navigating to Aria Suite Lifecycle UI > Create Environment, the precheck fails at the step “Firewall check on all the hosts”, referencing the datacenter and cluster name.

• The /var/log/vrlcm/vmware-vrlcm.log shows below error related to certificate "Certificate doesn't support 'digitalSignature' KeyUsage"

2025-10-07T10:30:25.788Z ERROR vrlcm[1309] [pool-3-thread-37] [c.v.v.l.d.c.v.i.ClusterValidator]  -- Exception occurred while validating esx hosts connection from VMware Aria Suite Lifecycle VA
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:134) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:251) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

        at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkAlgorithmConstraints(ImportX509TrustManager_5.java:107) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkAdditionalTrust(ImportX509TrustManager_5.java:87) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
Caused by: java.security.cert.CertPathValidatorException: Certificate doesn't support 'digitalSignature' KeyUsage
        at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkEndEntity(ProvAlgorithmChecker.java:200) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkChain(ProvAlgorithmChecker.java:180) ~[bctls-jdk15on-1.65.jar:1.65.00.0]

• The certificate on ESXi hosts does not show digitalSignature parameter in key usage of certificate field.