vCenter Upgrade Pre-Check Failure: Certificate Authority Parameter Check (LEAF!) Error
search cancel

vCenter Upgrade Pre-Check Failure: Certificate Authority Parameter Check (LEAF!) Error

book

Article ID: 414687

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

During a vCenter upgrade pre-check, the following error may occur:

[FAIL] Certificate Authority Parameter Check (LEAF!)  
Certificate is NOT a certificate authority! It must be removed.

This occurs when a certificate in the vCenter TRUSTED_ROOTS store is incorrectly marked as a Certificate Authority (CA) but is actually a leaf (end-entity) certificate. Such certificates cause the upgrade pre-check to fail.

Environment

VMware vCenter Server 

Cause

The vCenter certificate store contained a certificate incorrectly marked as a Certificate Authority (CA), but it was actually a leaf certificate.


Certificate Example From VDT Script:

 

            • 0#################################edfd14
                [PASS]    Certificate Algorithm Check
                [PASS]    Certificate Trust Check (TRUSTED|VMCA-SIGNED)
                            Issuer Alias/Thumbprint: #################################:32:78
                            Issuer DN:CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=ERPRDVMVCV01, OU=VMware
                [PASS]    Certificate Expiration Check - (Expires 04-15-2027)
                [FAIL]    Certificate Authority Parameter Check (LEAF!)
                            Certificate is NOT a certificate authority!  It must be removed.
                            Documentation:     https://knowledge.broadcom.com/external/article?legacyId=2146011
                [INFO]    Certificate DN
                            CN=ssoserver
 
During vSphere upgrade pre-checks, all certificates in the TRUSTED_ROOTS store are validated. If a non-CA (leaf) certificate exists in this store, the pre-check fails, triggering the observed error.



         

Resolution

Step 1: Validate the problematic certificate using Certificate Manager:

/usr/lib/vmware-vmca/bin/certificate-manager

  • Review the trusted root store and identify certificates not marked as CA: TRUE.

Step 2: Take a snapshot of vCenter before making any changes.

Step 3: Remove the invalid certificate using CLI:

List entries in TRUSTED_ROOTS
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS

Delete the problematic certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias <alias_name> -y

Confirm removal
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOT

 

Step 4: Re-run the vCenter upgrade pre-check script to confirm that the error is resolved.

Additional Information

 

 

Powered by Wolken Software