vCenter Upgrade Pre-Check Failure: Certificate Authority Parameter Check (LEAF!) Error
search cancel

vCenter Upgrade Pre-Check Failure: Certificate Authority Parameter Check (LEAF!) Error

book

Article ID: 414687

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

During a vCenter upgrade pre-check, the following error may occur:

[FAIL] Certificate Authority Parameter Check (LEAF!)  
Certificate is NOT a certificate authority! It must be removed.

This occurs when a certificate in the vCenter TRUSTED_ROOTS store is incorrectly marked as a Certificate Authority (CA) but is actually a leaf (end-entity) certificate. Such certificates cause the upgrade pre-check to fail.

Environment

VMware vCenter Server 

Cause

The vCenter certificate store contained a certificate incorrectly marked as a Certificate Authority (CA), but it was actually a leaf certificate.


Certificate Example From VDT Script:

 

            • 0#################################edfd14
                [PASS]    Certificate Algorithm Check
                [PASS]    Certificate Trust Check (TRUSTED|VMCA-SIGNED)
                            Issuer Alias/Thumbprint: #################################:32:78
                            Issuer DN:CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=Organization, OU=VMware
                [PASS]    Certificate Expiration Check - (Expires MM-DD-YYYY)
                [FAIL]    Certificate Authority Parameter Check (LEAF!)
                            Certificate is NOT a certificate authority!  It must be removed.
                            Documentation:     https://knowledge.broadcom.com/external/article?legacyId=2146011
                [INFO]    Certificate DN
                            CN=ssoserver
 
During vSphere upgrade pre-checks, all certificates in the TRUSTED_ROOTS store are validated. If a non-CA (leaf) certificate exists in this store, the pre-check fails, triggering the observed error.



         

Resolution

It is recommended to use the vCert tool to verify and manage certificates.

vCert - Scripted vCenter expired certificate replacement 

 

If you are not using the vCert tool, steps using the vecs-cli can be found below:

  1. Connect to the vCenter Server Appliance (VCSA) through SSH

  2. Validate the problematic certificate using Certificate Manager:
    /usr/lib/vmware-vmca/bin/certificate-manager

    Review the trusted root store and identify certificates not marked as CA: TRUE.

  3. Take a snapshot of vCenter before making any changes.


  4. List certificates and locate the certificate from the error:
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS

     

  5. Back up the certificate to be removed into a certificate file under the /root/ folder:
    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias <alias-id> --output /root/<aliasID>.cer

     

  6. Unpublish the certificate:
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/<alias-id>.cer

     

  7. Remove the invalid certificate using CLI:
    /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias <alias-id>

     

  8. Force-refresh the store to sync the certificate change:
    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

     

  9. Re-run the vCenter upgrade pre-check script or VDT to confirm that the error is resolved.


  10. After any certificate change, vCenter services should be restarted:
    service-control --stop --all && service-control --start --all

Additional Information

Powered by Wolken Software