Smart Card Logon is not working, Certificate not valid - Reason: [INVALID_POLICY]
search cancel

Smart Card Logon is not working, Certificate not valid - Reason: [INVALID_POLICY]

book

Article ID: 415056

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter Smart Card Authentication fails with "Certificate not valid. Message: [non-null policy tree required and policy tree is null] Reason: [INVALID_POLICY]"

Environment

vSphere 8.x

Cause

A signing CA from the user's Smart Card certificate CA path is missing from the vCenter Smart Card trust stores.

Resolution

Use the client computer to list/export the user Smart Card certificate signing CA certificates:

  • c:\> certutil -scinfo
  • Select the User Certificate when prompted to 'View'.
  • Select the tab for 'Certificate Path'.
  • On each CA and select 'View Certificate'
  • Select Details and export with 'Copy to File' [Base-64 encoded X.509(.cer)]

Update the vCenter Trust Stores:

  • Navigate to the Configuration UI.
  • From the Home menu, select Administration.
  • Under Single Sign On, click Configuration.
  • Under the Identity Provider tab, click Smart Card Authentication,
  • Under the Trusted CA certificates tab:
  • Click Add, and click Browse.
  • Select a trusted CA certificate, and click Add.

To add additional trusted CA certificates, repeat steps.

Configure vCenter Server to Request Client Certificates:

Create a trusted client CA store on the vCenter Server using the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem.

  • To create the trusted client CA store, run the openssl command, taking as input your trusted signing certificate. For example, the following command creates the clienttrustCA.pem file from the xyzCompanySmartCardSigningCA.cer trusted signing certificate.
    • vcsa# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
  • You can add additional certificates to the trusted client CA store by running the openssl command with the ">>" operator to append the additional certificate. For example, the following command appends xyzCompanySmartCardSigningCA2.cer to the existing clienttrustCA.pem file.
    • vcsa# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA2.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem

Validate the contents of the clienttrustCA.pem file contain the trusted CAs that signed the smart card certificates:

  • vcsa# keytool -printcert -file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem | grep -i "owner\|sha1\|issuer:\|valid"

Check sso-config.sh for matching CA names or through vSphere UI Single Sign On, Configuration, Smart Card Configuration, Smart Card Authentication and Trusted CA Certificates:

  • vcsa# sso-config.sh -get_authn_policy -t vsphere.local | grep trusted

Note: These must match the Smart Card User Certificate Certificate Chain i.e. Root, Intermediates certificates have matching thumbprints, names, valid dates, etc... On the client computer use 'c:\> certutil -scinfo'  to view the Smart Card certificate for the user and the signing CA path for the user certificate.

The vmware-sts service must be restarted after configuring smart card authentication:

  • vcsa# /usr/lib/vmware-vmon/vmon-cli --restart sts
Powered by Wolken Software