ESXi custom SSL certificate replacement fails with Low-level system error
search cancel

ESXi custom SSL certificate replacement fails with Low-level system error

book

Article ID: 435313

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Replacing default ESXi SSL certificates with custom CA certificates fails via the vSphere Client UI with the following error:

Operation failed. Cannot change the host configuration. Low-level system error. See logs for details.

  • In the var/run/log/hostd.log, you will find entries similar to:

 In(166) Hostd[ID]: [Originator@6876 sub=Vimsvc.TaskManager opID=OP_ID sid=SESSION_ID user=USER:DOMAIN\USER] Task Created : haTask -- vim.host.CertificateManager.installServerCertificate-6498710

 Er(163) Hostd[ID]: [Originator@6876 sub=Vimsvc.CertMgr opID=OP_ID sid=SESSION_ID user=USER: DOMAIN\USER] Failed to get private key: error: 1E08010C: DECODER routines :: unsupported

 In(166) Hostd[ID]: [Originator@6876 sub=AdapterServer opID=OP_ID sid=SESSION_ID user=USER: DOMAIN\USER] AdapterServer caught exception; << GUID, <TCP 'IP_ADDRESS: PORT'>, <TCP 'IP_ADDRESS : PORT'>>, ha-certificate-manager, vim.host.CertificateManager.installServerCertificate, <vim. version.v8_0_3_0, internal, 8.0.3.0>, [HEX_ADDRESS]>, N3Vim5Fault15HostConfigFault9ExceptionE (Fault cause: vim. fault. HostConfigFault
 In(166) Hostd[ID] : -- > )
 In(166) Hostd[ID]: -- > [context]ENCODED_DATA[/context]
 In(166) Hostd[ID]: [Originator@6876 sub=Vimsvc.TaskManager opID=OP_ID sid=SESSION_ID user=USER:DOMAIN\USER] Task Completed : haTask -- vim.host. CertificateManager. installServerCertificate-6498710 Status error

Environment

VMware vSphere ESXi 8.x

Cause

The private key generated on the ESXi host during the Certificate Signing Request (CSR) creation is missing or has been overwritten, preventing the certificate import sequence from validating the newly issued certificate.

Resolution

  1. Generate a new Certificate Signing Request (CSR) for the affected ESXi host via the vSphere Client.
  2. Submit the newly generated CSR to your Internal Certificate Authority (CA) for signing.
  3. After the CA issues the custom certificate, import it to replace the ESXi certificate using the vSphere Client.

Additional Information

Step by Step Process to replace ESXi vmca certificates to Custom from vCenter UI

Generate a Certificate Signing Request for a Custom Certificate Using the vSphere Client

Replace the Default Certificate Using the vSphere Client

Powered by Wolken Software