vCenter 9.0 Certificate Replacement Fails: Unsupported Signature Algorithm SHA256withRSAandMGF1
search cancel

vCenter 9.0 Certificate Replacement Fails: Unsupported Signature Algorithm SHA256withRSAandMGF1

book

Article ID: 418126

calendar_today

Updated On:

Products

VMware SDDC Manager VMware Cloud Foundation VMware vCenter Server

Issue/Introduction

  • Microsoft CA Certificate Replacement on vCenter Server 9.0 Fails with below error messages: 
    Failed to replace certificate for <vcenter_fqdn> due to: 500 Internal Server Error: "{"type":"com.vmware.vapi.std.errors.error","value": {"error_type":"ERROR","messages":[{"args":["Certificate uses an unsupported signature algorithm - SHA256withRSAandMGF1. Only SHA-2 RSA algorithms
are supported on the vCenter Server."],"default_message":"Exception found (Certificate uses an unsupported signature algorithm -
SHA256withRSAandMGF1. Only SHA-2 RSA algorithms are supported on the /Center Server.)","id":"com.vmware.certificatemanagement.error"}]}}"


  • Error in /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log on vCenter
    INFO  com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] Adding intermediate certificates to MACHINE_SSL certificate.
ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] Error Certificate uses an unsupported signature algorithm - SHA256withRSAandMGF1. Only SHA-2 RSA algorithms are supported on the vCenter Server.
ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] TLS Certificate replacement failed : Certificate uses an unsupported signature algorithm - SHA256withRSAandMGF1. Only SHA-2 RSA algorithms are supported on the vCenter Server.
INFO  com.vmware.certificatemanagement.impl.telemetry.TelemetryData  opId=] Attempting VAC stats push ....
ERROR com.vmware.certificatemanagement.vapi.impl.TlsProviderImpl  opId=] Exception was thrown while executing set:
com.vmware.certificatemanagement.impl.exceptions.InvalidArgumentException: Certificate uses an unsupported signature algorithm - SHA256withRSAandMGF1. Only SHA-2 RSA algorithms are supported on the vCenter Server.

 

Environment

VCF 9.0 , vCenter 9.0

Cause

  • Root and Machine certificates are using weak signature algorithm which is unsupported. Only SHA-2 RSA algorithm are supported on the vCenter Server.
  • Certificates with weak signature algorithms are not supported in VCF 9.0 and the pre-checks put in place in Certificate Replacement workflows will prevent the use of unsafe certificates. 

Resolution

To resolve the issue, we need to replace the vCenter certificate infrastructure from a unsupported signature scheme to the standard SHA-2 RSA signature scheme required by vCenter 9.0 security policies.

  1. Generate or obtain certificates that use SHA2 Signature Algorithm (including Intermediate Certificate(s) and all Root Certificate in chain) and proceed with the certificate replacement.
  2. When creating a custom machine SSL certificate for vCenter Server, Server Authentication and Client Authentication are not supported, and must be removed when using the Microsoft Certificate Authority (CA) templates. For more information, refer to knowledge base article - Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate", Certificate Replacement on vCenter Server 8.0 Fails with Weak Signature Algorithm Error Message
Powered by Wolken Software