Configuring external SSO configuration in VCF 9 fails with "Failed to connect to host:FQDN/IP" due to certificate format

Products

VCF Operations

Issue/Introduction

The VCF management interface reports "Failed to connect to host: <FQDN/IP_of_Domain_Controller>".
The following error pattern is observed in the /services-logs/vidb-external/vidb-mgmt-xxxxx/vidb-service-xxxxx-xxxx/vidb-service/console-log-xxxxxxxx.log on the VCF Operations/Identity Broker appliance:

2026-03-11T17:02:53.846864317Z stdout F 2026-03-11T17:02:53,846 ERROR vidb-service-xxxxxxxxx-xxxx:usergroup (usergroup-xx-xx-xx) [CUSTOMER;xxxxxxx;xx.xx.xx.xx;xxxxxxxx;-] com.vmware.vidm.dirsynclib.datastore.querymanager.impl.ssl.SslQueryManagerUtil - The certificates are not valid as x509 conversion failed. java.security.cert.CertificateException: Unable to get certificate
2026-03-11T17:02:53.846894582Z stdout F at com.vmware.horizon.pki.util.certificate.AbstractCertificateUtils.getCertificateFromPemWithDefaultProvider(AbstractCertificateUtils.java:178)
2026-03-11T17:02:53.846898651Z stdout F at com.vmware.horizon.pki.util.certificate.AbstractCertificateUtils.getCertificateFromPem(AbstractCertificateUtils.java:146)
2026-03-11T17:02:53.846903688Z stdout F at com.vmware.horizon.pki.util.certificate.AbstractCertificateUtils.getCertificateFromPem(AbstractCertificateUtils.java:120)
2026-03-11T17:02:53.846928905Z stdout F at com.vmware.horizon.pki.util.CertUtilities.parsePemCertificate(CertUtilities.java:137)
2026-03-11T17:02:53.846931256Z stdout F at com.vmware.vidm.dirsynclib.datastore.querymanager.impl.CertificateExtractor.getAcceptedCertificates(CertificateExtractor.java:38)
2026-03-11T17:02:53.846933121Z stdout F at com.vmware.vidm.dirsynclib.datastore.querymanager.impl.ssl.SslQueryManagerUtil.setCertificate(SslQueryManagerUtil.java:152)
2026-03-11T17:02:53.846934942Z stdout F at com.vmware.vidm.dirsynclib.datastore.querymanager.impl.ssl.SslQueryManagerUtil.getSocketFactory(SslQueryManagerUtil.java:145)
2026-03-11T17:02:53.846936822Z stdout F at com.vmware.vidm.usergroup.service.broker.connector.ActiveDirectoryServiceImpl.prepareEnvironment(ActiveDirectoryServiceImpl.java:175)
2026-03-11T17:02:53.846940063Z stdout F at com.vmware.vidm.usergroup.service.broker.connector.ActiveDirectoryServiceImpl.prepareLdapContextAndConnect(ActiveDirectoryServiceImpl.java:184)
2026-03-11T17:02:53.846942009Z stdout F at com.vmware.vidm.usergroup.service.broker.connector.ActiveDirectoryServiceImpl.validateConnectToLdap(ActiveDirectoryServiceImpl.java:114)
2026-03-11T17:02:53.8469443Z stdout F at com.vmware.vidm.usergroup.service.broker.connector.LdapDirectoryConfigValidationServiceImpl.validateConnectivityToDirectoryConfig(LdapDirectoryConfigValidationServiceImpl.java:95)
2026-03-11T17:02:53.846946555Z stdout F at com.vmware.vidm.usergroup.service.broker.connector.LdapDirectoryConfigValidationServiceImpl.lambda$validateDirectory$1(LdapDirectoryConfigValidationServiceImpl.java:43)
2026-03-11T17:02:53.846948357Z stdout F at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(Unknown Source)
2026-03-11T17:02:53.846950299Z stdout F at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
2026-03-11T17:02:53.846952417Z stdout F at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(Unknown Source)
2026-03-11T17:02:53.846955Z stdout F at com.vmware.vidm.common.async.ContextPassingExecutor.lambda$wrap$0(ContextPassingExecutor.java:48)
2026-03-11T17:02:53.846957402Z stdout F at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
2026-03-11T17:02:53.846959485Z stdout F at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
2026-03-11T17:02:53.846961526Z stdout F at java.base/java.lang.Thread.run(Unknown Source)
2026-03-11T17:02:53.846963638Z stdout F Caused by: java.security.cert.CertificateException: malformed PEM data encountered
2026-03-11T17:02:53.84696549Z stdout F at org.bouncycastle.jcajce.provider.CertificateFactory.readCertificate(Unknown Source)
2026-03-11T17:02:53.846967486Z stdout F at org.bouncycastle.jcajce.provider.CertificateFactory.engineGenerateCertificate(Unknown Source)
2026-03-11T17:02:53.846969609Z stdout F at java.base/java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
2026-03-11T17:02:53.846971557Z stdout F at com.vmware.horizon.pki.util.certificate.AbstractCertificateUtils.getCertificateFromPemWithDefaultProvider(AbstractCertificateUtils.java:171)
2026-03-11T17:02:53.84697347Z stdout F ... 18 more
2026-03-11T17:02:53.846975264Z stdout F Caused by: java.io.IOException: malformed PEM data encountered
2026-03-11T17:02:53.846977088Z stdout F at org.bouncycastle.jcajce.provider.PEMUtil.readPEMObject(Unknown Source)
2026-03-11T17:02:53.846981917Z stdout F at org.bouncycastle.jcajce.provider.CertificateFactory.readPEMCertificate(Unknown Source)
2026-03-11T17:02:53.846983939Z stdout F ... 22 more
2026-03-11T17:02:53.846985529Z stdout F
2026-03-11T17:02:53.847102725Z stdout F com.vmware.vidm.usergroup.service.broker.connector.ActiveDirectoryServiceImpl - Unable to establish a connection to Active Directory or perform a bind operation, please check the configuration and try again.

Environment

VCF Operations 9.x
VCF Fleet Management 9.x
VMware Identity Broker 9.x

Cause

The VMware Identity Broker (vIDB) in VCF 9.x utilizes the Java ExplicitX509TrustManager class to validate the integrity of the connection to external Identity Providers. This component requires the certificate to be presented in PEM format

Resolution

Ensure the certificate for the primary domain controller during identity source configuration is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines

Additional Information

Configure a Certificate For Use With VCF Operations