• Cross vCenter vMotion fails with the error "Authenticity of the host's SSL certificate is not verified"
• The following remote host certificate validation error is logged in the vpxd.log of the source vCenter Server:
  

  --> PeerThumbprint: <Destination vCenter machine ssl thumbprint>
  --> ExpectedThumbprint:
  --> ExpectedPeerName: <Destination vCenter IP>
  --> The remote host certificate has these problems:
  -->
  --> * unable to get local issuer certificate)

• The error occurs even though the Machine SSL Certificate of the destination vCenter Server has been imported into the Trusted Roots of the source vCenter Server
  Related KB:  Error: "Authenticity of the host's SSL certificate is not verified" When Migrating VMs Using Cross vCenter Migration

VMware vSphere 8.x

This issue occurs because the root certificate of the issuing authority (Issuer / CA) that issued the Machine SSL Certificate of the destination vCenter Server does not exist in the Trusted Roots of the source vCenter Server.
During the certificate chain verification, the issuer's (local issuer) certificate cannot be traced, resulting in a failure to verify its authenticity.

To resolve this issue, identify and export the CA certificate of the Issuer on the destination vCenter Server, and then import it into the Trusted Roots of the source vCenter Server.

Perform the following steps:

Step 1: Identify the Issuer on the destination vCenter Server

1. SSH into the destination vCenter Server and identify the Issuer by checking the Machine SSL Certificate information
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text

   Verify that the Issuer is a different CA, not the destination vCenter itself.
   Example: (If sddc01.xxxx.xxx is the CA)
   Issuer: C=US, ST=California, L=Palo Alto, O=sddc01.xxxx.xxx, OU=VMware Engineering, CN=sddc01.xxxx.xxx
   
   

Step 2: Export the certificates from the destination vCenter Server

1. Export the Machine SSL Certificate from target vCenter Server
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > machine-ssl-cert.crt

2. Find alias of the Trusted Root Certificates which has same issuer with Step1
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text

    

   *Note: Depending on the environment, there may be multiple root certificate
3. Export the Trusted Root Certificates (Execute for the number of existing Aliases)
   

   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > trusted-root-cert-1.crt
   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store TRUSTED_ROOTS --alias yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy > trusted-root-cert-2.crt

Step 3: Transfer files to the source vCenter Server and verify

1. Copy (e.g., using scp) all the certificate files exported in Step 2 (machine-ssl-cert.crt and multiple trusted-root-cert-x.crt) to an arbitrary directory (e.g., /tmp) on the source vCenter Server
2. Use the following openssl verify command to verify which Trusted Root certificate is the correct Issuer for the Machine SSL Certificate. Run this sequentially against the exported root certificates
   

   openssl verify -CAfile trusted-root-cert-1.crt machine-ssl-cert.crt
   openssl verify -CAfile trusted-root-cert-2.crt machine-ssl-cert.crt
   :

   
   If it is the correct root certificate, an OK will be returned as shown below (it will fail if it is incorrect). Use the certificate file that returned OK (in this example, trusted-root-cert-x.crt) in the next step.
   machine-ssl-cert.crt: OK

Step 4: Import the certificate into the source vCenter Server and verify

1. Publish (import) the root certificate that returned OK in Step 3 into the Trusted Roots of the source vCenter Server
   

   /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert <Certificate_file_name_that_returned_OK> --login '[email protected]' --password '<administrator_password>'

2. After the certificate import is complete, wait a few minutes for the configuration to be reflected across all services
3. execute the Cross vCenter vMotion again and confirm that the issue is resolved and the migration completes successfully

Related KB:  Error: "Authenticity of the host's SSL certificate is not verified" When Migrating VMs Using Cross vCenter Migration