Adding Trusted Root Certificate to the vCenter Certificate Store fails
search cancel

Adding Trusted Root Certificate to the vCenter Certificate Store fails

book

Article ID: 422693

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The task "Add a Trusted Root Certificate" to the vCenter Certificate Store Using the vSphere UI fails. 
  • The task via CLI also fails.
  • Under vCenter's /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log, below error snips are found:

    [tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.vapi.impl.setup.AuthzPermissionValidator] User ####\#### has required privileges (CertificateManagement.Administer) to invoke API com.vmware.vcenter.cestificate_management.create
    [tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] TrustedRootsChain create operation is initiated 
    [tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] create vAPI call for Id : ###############
    [tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.trustedroots.TrustedRootsChainCreator] cert already exist for Id : ###############
    [tomcat-exec-8 INFO com.vmware.cerfiticatemanagement.impl.telemetry.TelemetryData] Attempting VAC stats push ....
    [tomcat-exec-8 WARN com.vmware.cerfiticatemanagement.impl.telemetry.TelemetryData] Publishing telemetry data to VAC failed with exception : Failed : HTTP error code : 400

 

Cause

The incoming root certificate possesses a Subject Key Identifier identical to an entry already present in the TRUSTED_ROOTS store.

Resolution

To resolve this issue, follow steps below:

Step 1: Remove the Old Certificate from the vCenter.

  1. Take Snapshot of the vCenter.
  2. List the certificates using vecs-cli, using below command:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

  3. Find the certificate that needs to be removed and make a note of the Alias.

    Example: Alias : ####################################2e7f

  4. Using the Alias ID located in Step 2, run the below command to save the certificate to /root/ folder, adjusting appropriately for the environment:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias ####################################2e7f --output /root/<aliasID>.cer

  5. Unpublish the old CA certificate from VMDIR, using below command:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/<aliasID>.cer

    Note: Provide the SSO Password when prompted.

Step 2: Import the Trusted Root Certificate via vCenter UI.

  1. Login to the vCenter UI with SSO Credentials.
  2. Navigate to Administration > Certificate management > Import Trusted root certificate.
  3. Reboot the vCenter to take the changes effect.

Step 3: Import the Trusted Root Certificate via CLI.

  1. Add the new certificates to the TRUSTED_ROOTS store:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/new-cert.cer

    Note: When prompted, provide the SSO Administrator credentials.

  2. Perform force refresh of VECS to sync certificate from VMDIR.

    /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

  3. Confirm that the certificate is no longer present, using below command:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep <aliasID>

    Note    : Output of the command should not be listing the Alias ID that was removed in above steps.

  4. Restart all services on the vCenter Servers, ensuring that all services start and respond normally, and that login and management of the environment are functioning properly.

    service-control --stop --all && service-control --start --all

Additional Information

Reference KB: https://knowledge.broadcom.com/external/article?articleNumber=326288

 

Powered by Wolken Software