vCenter Server TLS Certificate Compliance Warning Due to Missing OCSP Information
search cancel

vCenter Server TLS Certificate Compliance Warning Due to Missing OCSP Information

book

Article ID: 430061

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Security and compliance scanners may flag a TLS certificate validation error on the vCenter Server even when a trusted third-party certificate (for example, DigiCert) is installed and otherwise valid.
This condition typically occurs when the scanner cannot validate the real-time revocation status of the certificate, resulting in findings such as “TLS certificate status cannot be validated”.

Environment

VMware vCenter 7.x
VMware vCenter 8.x
VMware vCenter 9.x

Cause

The installed Machine SSL certificate does not include an OCSP responder URI in its metadata.

Specifically:

  • The Authority Information Access (AIA) extension of the certificate is missing an OCSP URI

  • Without this URI, vCenter cannot provide OCSP stapling during the TLS handshake

  • Security scanners have no endpoint to query for certificate revocation status and therefore mark the certificate as non-compliant

Resolution

Step 1: Verify Whether the OCSP URI Is Missing

Connect to the vCenter Server (or any system with OpenSSL installed) and run the following commands.

Check for OCSP URI Directly

echo | openssl s_client -connect <vcenter-fqdn>:443 -servername <vcenter-fqdn> 2>/dev/null | openssl x509 -noout -ocsp_uri

Expected Output (Problematic Certificate)

<no output>

No output confirms that the certificate does not advertise an OCSP responder.

Expected Output (Correct Certificate)

http://ocsp.digicert.com

Check the Full AIA Extension

echo | openssl s_client -connect <vcenter-fqdn>:443 -servername <vcenter-fqdn> 2>/dev/null | openssl x509 -text -noout | grep -A2 "Authority Information Access"

Expected Output (Problematic Certificate)
 
Authority Information Access: CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalRootCA.crt

Note: OCSP is missing.

Expected Output (Correct Certificate)

Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalRootCA.crt
 

Step 2: Re-issue the Certificate

If the OCSP URI is missing, the certificate must be re-issued.

  1. Generate a new CSR from the vCenter Server using Certificate Manager

  2. When submitting the CSR to DigiCert:

    • Select a certificate profile that includes OCSP in the AIA extension

    • Do not use a minimal or legacy profile that omits OCSP

  3. Download the re-issued certificate along with the full intermediate and root chain

  4. Replace the Machine SSL certificate using:

    /usr/lib/vmware-vmca/bin/certificate-manager

  5. Restart vCenter services or reboot the appliance if prompted

Additional Information

  • Modern vulnerability scanners require OCSP or CRL endpoints to validate certificate revocation status in real time

  • OCSP Stapling improves:

    • TLS handshake performance

    • Privacy (clients do not directly contact the CA)

    • Compliance with security audit requirements

  • vCenter Server relies entirely on the certificate metadata provided by the CA; it cannot add OCSP information after issuance

  • This behavior is not a vCenter defect but a certificate profile configuration issue.

Powered by Wolken Software