Configuring Custom CA in VCF 9 for VCF Instance fails with error: Unable to create CA.
search cancel

Configuring Custom CA in VCF 9 for VCF Instance fails with error: Unable to create CA.

book

Article ID: 419775

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Configuring Custom CA in VCF 9 Operations Manager for VCF Instances and click a VCF Instance name fails with error: Unable to create CA.

  • Under SDDC manager /var/log/vmware/vcf/operationsmanager/operationsmanager.log below log snippets are found

    YYYY-MM-DDTHH:MM:SS.757+0000 INFO  [vcf_om,691de78d756dc7e0a787feb65cc58766,fe39] [o.b.jsse.provider.ProvTlsClient,http-nio-127.0.0.1-7300-exec-6] [client #1853 @4d88bf81] disconnected from example.com:443
    YYYY-MM-DDTHH:MM:SS.757+0000 ERROR [vcf_om,691de78d756dc7e0a787feb65cc58766,fe39] [c.v.v.c.r.a.c.v.CertificateManagementController,http-nio-127.0.0.1-7300-exec-6] Failed to create certificate authority
    com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: The server certificate of MSCA contains empty subject at com.vmware.vcf.certmgmt.ca.plugin.MicrosoftCaService.connect(MicrosoftCaService.java:402)

     YYYY-MM-DDTHH:MM:SS.759+0000 DEBUG [vcf_om,691de78d756dc7e0a787feb65cc58766,fe39] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-6] Processing localizable exception The server certificate of MSCA contains empty subject
     YYYY-MM-DDTHH:MM:SS.759+0000 ERROR [vcf_om,691de78d756dc7e0a787feb65cc58766,fe39] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7300-exec-6] [CRGRD8] CERTIFICATE_CA_CREATION_FAILED The server certificate of MSCA contains empty subject
     com.vmware.vcf.certmgmt.common.exception.CertMgmtRestException: The server certificate of MSCA contains empty subject

 

Environment

  • VCF Fleet Manager 9.0

Cause

This issue may occur due to the SSL certificate presented by the Microsoft CA server on port 443.

When running the openssl s_client command from the SDDC Manager CLI, the certificate returned by the server shows an empty subject field.

Example output indicating a null subject:

openssl s_client -connect <MicrosofCAserverFQDN>:443 -showcerts

Server certificate
subject=      <----- Empty
issuer=C = ##, ST = ##, L = ######, O = ######, OU = #####, CN = example.com

Resolution

  • Ensure that the SSL certificate on the Microsoft CA server contains valid Subject information. 
  • To configure or regenerate the SSL certificate on the Microsoft CA server, refer to the Microsoft documentation: : Add a subject alternative name to a secure LDAP certificate
  • After updating the certificate, validate that the Microsoft CA server presents a certificate with a proper Subject field by running the openssl s_client command from the SDDC Manager.

Sample output showing the certificate’s subject:

openssl s_client -connect <MicrosofCAserverFQDN>:443 -showcerts

Server certificate
subject=C = ##, ST = ##, L = ######, O = ######, OU = #####, CN =example.com
issuer=C = ##, ST = ##, L = ######, O = ######, OU = #####, CN =example.com

Additional Information

Powered by Wolken Software