SDDC Manager certificates show as VMCA after successful CSR and replacement
search cancel

SDDC Manager certificates show as VMCA after successful CSR and replacement

book

Article ID: 433185

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

In VCF Operations 9.0.x, after running the "replace with configured CA certificate" workflow using a Microsoft CA for the SDDC Manager from Fleet Management > Certificates > VCF Instances, you observe that only the TLS certificate shows as a Microsoft CA certificate in the UI. The root and intermediate certificates still appear as VMCA.

Environment

VCF Operations 9.0.x

Cause

For VCF Management components such as SDDC Manager, only the newly generated TLS Certificate shows as the Microsoft CA type in the UI and will include the full chain. The original root and intermediate certificates do not change their display type, which can lead to the false assumption that the replacement failed.

Resolution

No further action is required to replace the SDDC Manager certificate. The initial replacement is successful and the certificate is valid.

To confirm the new certificate is in place and functional:

  1. Navigate to Administration > Integrations > VMware Cloud Foundation adapter instance

  2. Click the ellipses (3 dots) > Edit.

         

    3. Click Validate Connection.

         

If the validation is successful without presenting a new certificate prompt. this confirms the certificate is functional.

If you manually update the certificate on SDDC Manager outside of VCF Operations 9.0.x and run the steps above, only then would you get a new certificate prompt.


Additional Information

If you initiate the certificate replacement workflow again because the intermediate and root certificates display as VMCA, the duplicate task might hang in both VCF Operations (Fleet Management > Tasks) and the management vCenter Server (Recent Tasks).

This potentially occurs because the system detects the updated Microsoft CA certificate but fails to properly cancel, clean up, or report the reason for stopping the duplicate task. SDDC Manager logs (/var/log/vmware/vcf/operationsmanager/operationsmanager.log) can confirm the first attempt succeeds and subsequent attempts are skipped or failed:

2026-02-19T23:35:47.159+0000 DEBUG [vcf_om,69979e52f024a47cc71c0e9e7a300177,b2c5] [c.v.v.c.u.c.CertificateRetrieverUtil,om-exec-28] Certificate chain length is :3 for resource `[SDDC_HOSTNAME]`:443` 2026-02-19T23:35:47.208+0000 DEBUG [vcf_om,69979e52f024a47cc71c0e9e7a300177,b2c5] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-28] Verified caType Microsoft for `[SDDC_HOSTNAME]`


2026-02-19T23:35:47.208+0000 DEBUG [vcf_om,69979e52f024a47cc71c0e9e7a300177,b2c5] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-28] Not updating certificate in DB for `[SDDC_HOSTNAME]` because it was last updated on 2026-02-19T22:44:27.142043Z

2026-02-19T23:25:48.606+0000 DEBUG [vcf_om,69979bfc36ef86c1ef880b6be928455f,ccad] [c.v.v.c.s.f.i.CertificateOperationsFacadeImpl,http-nio-###.#.#.#-7300-exec-5] DomainCertificateOperation: {"workflowId":"[GUID]","domainName":"[REDACTED_DOMAIN]","operationType":"REPLACE_CERTIFICATE","operationStatus":"*","resourceCertificateOperations":[{"resource":{"hostName":"[SDDC_HOSTNAME]","resourceType":"sddcmanager","master":false},"result":{"status":"INPROGRESS","message":"{"code":"CERTIFICATE_REPLACEMENT_FAILED_OPS_MANAGER_CRASH","args":["*"]}"},"creationTimestamp":177154026585
3,"updateTimestamp":1771543234569}],"retryOperation":false}

 
Powered by Wolken Software