Add a Trusted Root Certificate to the vCenter Certificate Store failed
search cancel

Add a Trusted Root Certificate to the vCenter Certificate Store failed

book

Article ID: 422693

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Add a Trusted Root Certificate to the vCenter Certificate Store Using the vSphere Client failed. 
  • Use following command to add the new certificates to the TRUSTED_ROOTS store also failed:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_RootCA

  • In /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log reports following error:

[tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.vapi.impl.setup.AuthzPermissionValidator] User xxxxx\xxxxx has required privileges (CertificateManagement.Administer) to invoke API com.vmware.vcenter.cestificate_management.create
[tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] TrustedRootsChain create operation is initiated 
[tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] create vAPI call for Id : xxxxxxxxxxxxxxx
[tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] cert already exist for Id : xxxxxxxxxxxxxxx
[tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.telemetry.TelemetryData] Attempting VAC stats push ....
[tomcat-exec-8 WARN com.vmware.cerfiticatemanagement.impl.telemetry.TelemetryData] Publishing telemetry data to VAC failed with exception : Failed : HTTP error code : 400

Cause

The new added root certificate has the same ID (Subject Key Identifier) with the old root certificate which already in TRUSTED_ROOTS store.

Resolution

1. List the certificates using vecs-cli.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

2. Find the certificate that needs to be removed and make a note of the Alias.

Example:

Alias : ####################################2e7f

3. Using the Alias ID located in Step 2, run the following command to save the certificate to /root/ folder, adjusting appropriately for the environment:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias ####################################2e7f --output /root/<aliasID>.cer

4. Unpublish the old CA certificate from VMDIR, it will prompt for SSO Administrator credentials.

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/<aliasID>.cer

5. Add the new certificates to the TRUSTED_ROOTS store:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/new-cert.cer

When prompted, provide the Single Sign-On Administrator credentials

6. Perform force refresh of VECS to sync certificate from VMDIR.

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

7. Confirm that the certificate is no longer present.

Note: Output of this command should not be listing the Alias ID that was removed in above steps.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep <aliasID>

8. Restart all services on the vCenter Servers, ensuring that all services start and respond normally, and that login and management of the environment are functioning properly.

service-control --stop --all
service-control --start --all

 

Additional Information

Reference KB: https://knowledge.broadcom.com/external/article?articleNumber=326288

 

Powered by Wolken Software