When attempting to replace or update the server certificate for a VMware Identity Manager cluster, the certificate upload fails validation in the VMware Aria Suite Lifecycle Locker. You may experience an end-entity certificate error preventing the successful application of the new certificate. This behavior has been observed when transitioning to a Sectigo Certificate Authority (CA) where the provided chain is incomplete or out of order.

• VMware Identity Manager 3.3.7

• VMware Aria Suite Lifecycle 8.18.0

The certificate upload fails because the provided certificate chain lacks the complete chain of trust. While a standard Certificate Signing Request (CSR) may generate a three-certificate chain (client > intermediate > root), the current root certificate may be signed by an additional high-level root CA that is missing from the chain. Additionally, certificates downloaded directly from the Sectigo portal may contain all four certificates but are bundled in the incorrect order due to a UI bug on the vendor's side.

To resolve this issue and successfully apply the certificate, ensure the entire four-certificate chain is present and in the correct order within the Locker.

1. Download the new certificate package from Sectigo.

2. Open the downloaded certificate file and separate the four individual certificates, as they may be presented out of order.

3. Identify the high-level Sectigo USERTRUST CA root certificate.

4. Navigate to the Locker in VMware Aria Suite Lifecycle.

5. Edit your certificate payload and manually arrange the chain in the correct descending order: Client > Intermediate > Root > High-level Root (Sectigo USERTRUST CA).

6. Append the high-level Sectigo USERTRUST CA exactly at the end of the certificate text block.

7. Save the certificate in the Locker. VMware Aria Suite Lifecycle will now accept the complete four-certificate chain, circumventing the end-entity certificate error.

8. Proceed with the certificate replacement task for the VMware Identity Manager cluster.

   1. Run the Re-Trust with Identity Manager action in Aria Suite Lifecycle against Aria Automation to trust this new certificate.