"The provided certificate signing chain is not complete", certificate replacement using vCert fails with incomplete chain error
search cancel

"The provided certificate signing chain is not complete", certificate replacement using vCert fails with incomplete chain error

book

Article ID: 413847

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Machine SSL Certificate replacement on vCenter Server using vCert tool fails with error message "The provided certificate signing chain is not complete".

  • Following options are used to replace the Certificate with CA Signed certificate.

    • Option 3 to Manage certificates.
      • Option 1 for Machine SSL certificate.
        • Option 2 to Replace Machine SSL certificate with a CA-signed certificate.
          • Option 1 to Generate Certificate Signing Request and Private Key.

  • After entering the certificate path, it fails with below errors :

    Provide path to the Certificate Authority chain: /root/<machine_ssl_chain_filename>.cer

    The provided certificate signing chain is not complete!

    [ ! ] USERTrust RSA Certification Authority  |_[ + ] InCommon RSA Server CA 2      |_[ + ] <VC Certificate Subject>
    Please ensure that the following certificate (and its issuers, if any) are included in the signing CA chain:   Subject: C=##, ST=### ###, L=#### ####, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

Cause

  • This issue was caused due to missing USERTrust RSA Certificate Authority in the certificate chain or the certificates are not in the correct order.

  • Subject Key Identifier and Authority Key Identifier of each certificate in the chain will help to confirm the full chain is in correct order. The leaf certificate Authority Key Identifier should be equal to the Subject Key identifier of the Intermediate Root Certificate and Subject Key Identifier of Intermediate Root Certificate should be equal to the Subject Key identifier of Root Certificate.


Resolution

Create Machine SSL Certificate chain in below order and use that certificate chain during vCert certificate replacement workflow.

  1. Machine SSL Certificate issued for "vCenter Server"
  2. Intermediate Root Certificate (InCommon RSA Server CA 2)
  3. Root Certificate (USERTrust RSA Certification Authority)

Additional Information

Follow below steps to save the Certificate files and create full chain in above format.

  1. Save all the Certificates as individual files

    • Open (double+click) vCenter Server machine ssl certificate from local desktop.
    • Click on the tab Certification Path
    • Select the Intermediate Certificate "Incommon RSA Server CA 2"
    • Click on Details -> Copy to File
    • Select Base-64 encoded X.509 (.CER) and saved the file as "intermediate.cer"
    • Click on Certification Path tab of the same Intermediate certificate
    • Select the Root Certificate with name "Sectigo"
    • Click on Details -> Copy to File
    • Select Base-64 encoded X.509 (.CER) and saved the file as "root.cer"

  2. Create chain using the certificate files
    1. Open the file for Machine SSL certificate in Notepad++
    2. Copy the Certificate string
    3. Create a new file and paste the contents copied from above step
    4. Open intermediate.cer in Notepad++
    5. Copy the certificate string
    6. Paste the contents in same file created in step 3, paste it below the first certificate
    7. Open root.cer in Notepad++
    8. Copy the certificate string
    9. Paste the contents in same file created in step 3, paste it below the 2nd certificate
    10. Save the file created in Step 3 as "certificate_chain.cer" or any other name to easily identify the certificate chain.
    11. Use the chain while replacing the certificate.
Powered by Wolken Software