• You are unable to configure a Microsoft Certificate Authority (CA) in VCF Operations 9.0.x. The configuration fails sequentially, first during the API call, and subsequently with an unauthorized access error.
  
  
• When adding the CA, the /storage/log/vcops/log/vcops-bridge.log  in VCF Operations Manager appliance records an API error indicating a failure to expand a variable:

2026-02-09T18:45:50.210Z INFO vcfops-bridge 5105 [ops@4413 threadId="8010" threadName="ServerConnection on port 10000 Thread 13"] [com.vmware.vcops.bridge.server.vcf.certificate.task.VRSLCMRestManager.configureMSCA] - Configuring CA with the URL : https:///lcm/lcops/api/v2/settings/msca-settings?mscaUrl=[MSCA_URL]/certsrv&password=[USER_PASSWORD]&templateName={TEMPLATE_NAME]&userName:[[email protected]] 2026-02-09T18:45:50.210Z ERROR vcfops-bridge 5105 [ops@4413 threadId="8010" threadName="ServerConnection on port 10000 Thread 13"] [com.vmware.vcops.bridge.server.vcf.certificate.task.VRSLCMRestManager.configureMSCA] - Exception occurred while configuring microsoft ca on VRSLCMNot enough variable values available to expand '[PARTIAL_PASSWORD]'

• After updating the password, the Microsoft CA server IIS logs show SDDC Manager failing to authenticate with a 401.2 error:

GET /certsrv/certrqxt.asp - 443 - <SDDC_Manager_IP> Apache-HttpClient/5.3.1+(Java/17.0.12) - 401 2 5 1516 329 194

• The /var/log/vrlcm/vmware_vrlcm.log on the VCF Fleet Management appliance shows the error below:
  
  ERROR vrlcm[151263] [http-nio-8080-exec-4] [c.v.v.l.l.c.MSCARestClient]  -- Exception occurred while trying to validate Microsoft CA
...
org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized:
...
401 - Unauthorized: Access is denied due to invalid credentials.
...
You do not have permission to view this directory or page using the credentials that you supplied.
  
  
• If a manual certificate import was attempted, **Fleet Management > Certificates** shows no certificates for the SDDC instance, and the `vcops-bridge.log` records certificate trust and KV store errors:
  
  [com.vmware.vcops.bridge.server.vcf.certificate.transformer.VcfCertificateGenericTransformer.getVcfCertificateAuthorities] - Exception occurred while getting the CA configuration in KV storeCA - [SDDC_HOSTNAME] not found in kv store. java.lang.RuntimeException: CA - [SDDC_ HOSTNAME] not found in kv store. ... [com.vmware.vcops.bridge.server.vcf.certificate.transformer.VcfCertificateGenericTransformer.configureVcfCertificateAuthorities] - Unable to save CA configuration of SDDC-M : I/O error on PUT request for "[SDDC_URL]/v1/certificate-authorities": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

VCF Operations for Logs 9.0.x

There may be distinct causes preventing the Microsoft CA configuration:

1. The service account password contains special characters (specifically curly brackets { }). The API framework incorrectly interprets the brackets as a variable, causing a parsing failure. This is verified by the vcops-bridge.log showing the API attempting to expand the curly brackets.
2. The Microsoft CA Web Enrollment site (/certsrv) is not configured for Basic Authentication. SDDC Manager expects Basic Authentication. When the IIS server is only configured for Windows Authentication (NTLM/Negotiate), the connection is denied. This is verified by the vmware_vrlcm.log and the Microsoft CA server logs recording a 401 2 5 status code (401.2 Unauthorized, Win32 Error 5: Access is Denied).
3. An out-of-band manual certificate import was performed on the SDDC Manager using legacy procedures (such as KB 314632). Because this was done outside of VCF Operations, it causes a certificate trust mismatch (PKIX path failure) between VCF Operations (Fleet Management) and the SDDC Manager.

Proceed with the relevant solutions below to address the password formatting, IIS authentication, and certificate trust.

Service Account Password Formatting

• Update the Microsoft CA service account password to ensure it does not contain curly brackets { } to prevent the REST API from treating the string as a variable: Configure Certificate Authority for VCF Management fails with error, "Certificate authorities update failed"

IIS Authentication Configuration

• Configure the Microsoft CA server to allow Basic Authentication for the /certsrv IIS application to successfully authenticate: Unable to configure the Certificate Authority (CA) in the VMware Cloud Foundation Operations 9.0 environment

Re-establish Certificate Trust (If a manual import was performed)

If you previously attempted to manually update the SDDC Manager certificate using legacy KBs (such as KB 314632), you must re-establish trust in VCF Operations:

1. Navigate to VCF Operations > Management > Integrations.
2. Edit the VCF adapter instance associated with the SDDC and click Validate to accept the new certificate.
3. Stop and start collection on all VCF adapter instances from the Integrations page.
4. Navigate to Infrastructure Operations > Configurations > Inventory Management > Adapter Instances, and stop all Infrastructure Management Adapter instances.
5. After a minute or two, start all Infrastructure Management Adapter instances.
6. Navigate to Fleet Management > Certificates and verify the certificates now populate properly.

Final Steps

• Ensure the service account has the proper Read and Enroll permissions on the Certificate Template: Assign Certificate Management Privileges to the VMware Cloud Foundation Service Account
  
  
• Re-run the CA configuration in VCF Operations.