In VMware Aria Operations (formerly vRealize Operations), attempting to add a repository via Administration -> Integrations -> Repository -> Add fails with a popup error.

The following symptoms are observed:

• UI Error: "Unable to import the certificate. Verify that the certificate is valid and try again."
• Log Findings: The casa logs (located at /storage/log/vcops/log/casa.log) show a java.lang.IllegalArgumentException: must be nonnegative during certificate validation.

2026-01-23T01:29:40.294Z WARN casa 18735 [ops@4413 threadId="225" threadName="ajp-nio-127.0.0.1-8011-exec-6" requestId="tk000aDE"] [com.vmware.vcops.casa.exception.CasaControllerExceptionHandler.casaExceptionHandler:212] - cause for exception = java.lang.IllegalArgumentException: must be nonnegative
java.lang.IllegalArgumentException: must be nonnegative
at com.vmware.vcops.casa.support.function.StrFunction.toXsDateTime(StrFunction.java:67) ~[classes/:?]
at com.vmware.vcops.casa.security.CertificateDescription.setCert(CertificateDescription.java:207) ~[classes/:?]
at com.vmware.vcops.casa.security.SecurityService.getTrustedCerts(SecurityService.java:2417) ~[classes/:?]
at com.vmware.vcops.casa.status.OperationCheckerService.isCertficatesExpired(OperationCheckerService.java:558) ~[classes/:?]

VMware Aria Operations 8.18.X

A certificate residing in the tcserver.truststore (typically associated with Lenovo LXCA) has an invalid "Valid from" date (e.g., December 31, 1969) that precedes the Unix epoch (January 1, 1970), resulting in a negative timestamp that triggers the Java exception.

Follow these steps to identify and remove the problematic certificate from the Primary node:

1. Identify the problematic alias: Run the following command to list certificates and look for "Valid from" dates in 1969:

   1. Log in to the Primary node as the root user.

   2. Verify the SSL passwords for the keystore and truststore:

      • cat /storage/vcops/user/conf/ssl/storePass.properties
        
        • sslkeystorePassword=KEY_STORE_PASSWORD
        • ssltruststorePassword=TRUST_STORE_PASSWORD

   3.  List the certificates in the tcserver.keystore:

      • /usr/java/latest/bin/keytool -list -v -keystore /storage/vcops/user/conf/ssl/tcserver.keystore 
        • Enter the KEY_STORE_PASSWORD at the password prompt.

   4. List the certificates in the truststores:

      • For tcserver.truststore:
        • /usr/java/latest/bin/keytool -list -v -keystore /storage/vcops/user/conf/ssl/tcserver.truststore
        • Enter the TRUST_STORE_PASSWORD at the password prompt.
      • For cluster.truststore:
        • /usr/java/latest/bin/keytool -list -v -keystore /storage/vcops/user/conf/ssl/cluster.truststore
        • Enter the TRUST_STORE_PASSWORD at the password prompt.

   5. Example : Identify the alias of the certificate where the "Valid from" date precedes the Linux epoch (January 1, 1970).
      your keystore contains 5 entries
      alias name : XX-##-##-##-###--####
      creation date : feb 10, 2026
      entry type : trustedcertentry
      owner: cn=COMMN_NAME, ou=OU, o=ORGANIZATION, l=LOCALITY, st=STATE, c=COUNTRY
      issuer: cn=COMMN_NAME, ou=OU, o=ORGANIZATION, l=LOCALITY, st=STATE, c=COUNTRY
      serial number : SERIAL_NUMBER
      valid from : wed dec 31 05:00:00 utc 1969 until : tue dec 31 05:00:00 utc 2069

2. Delete the invalid certificate: Execute the delete command using the identified alias :

   • #/usr/java/latest/bin/keytool -delete -alias "<ALIAS_NAME>" -keystore /storage/vcops/user/conf/ssl/tcserver.truststore -storepass TRUST_STORE_PASSWORD

3. Restart Services: $ service vmware-vcops restart

4. Verify: Retry adding the repository in the Aria Operations UI.

If the deleted certificate was used as a Custom Web Certificate, you may need to reload default certificates. Refer to: Reload the default certificate in VMware Aria Operations (326393)