Machine SSL certificate replacement using vCert tool fails with error: Operation failed: Unable to create entry _MACHINE_CERT in the VECS store MACHINE_SSL_CERT
search cancel

Machine SSL certificate replacement using vCert tool fails with error: Operation failed: Unable to create entry _MACHINE_CERT in the VECS store MACHINE_SSL_CERT

book

Article ID: 424213

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When using vCert tool option 3-1-3 to replace a Custom CA-signed Machine SSL certificate, you receive the following error:

  • When reviewing the contents of the VECS store: MACHINE_SSL_CERT using command: /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT, you see only one entry for _MACHINE_CSR:

NOTE: 2nd alias entry for _MACHINE_CERT is missing in the above output.

Environment

VMware vCenter Server

Cause

Alias entry for _MACHINE_CERT is required in the VECS store: MACHINE_SSL_CERT for the Machine SSL certificate replacement process to succeed.

Resolution

  • Verify the hash for existing cert (rui.crt) and key (rui.key) files stored in /etc/vmware-vpx/ssl folder on the vCenter server to confirm if these are intact and can be used to create the missing alias entry:

  • Manually create the alias entry for _MACHINE_CERT in the VECS store: MACHINE_SSL_CERT using following command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /etc/vmware-vpx/ssl/rui.crt --key /etc/vmware-vpx/ssl/rui.key

  • Verify the 2nd alias entry for _MACHINE_CERT has been created in the VECS store: MACHINE_SSL_CERT using command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT

  • Proceed with Machine SSL certificate replacement using vCert tool option 3-1-3 and it should proceed normally now:

Additional Information

Reference KB for using vCert tool: vCert - Scripted vCenter expired certificate replacement

Powered by Wolken Software