• When running the VCF Diagnostic Tool for vSphere (VDT) on a vCenter Server Appliance, the VC VECS Check may report a [WARN] status for multiple solution user certificates (e.g., `machine`, `vsphere-webclient`, `vpxd`, `vpxd-extension`).
• The warning specifically indicates: Certificate Trust Check (TRUSTED|UNKNOWN-SIGNED) Documentation: This signer isn't the current VMCA

  [WARN]    Certificate Trust Check (TRUSTED|UNKNOWN-SIGNED)
              Issuer Alias/Thumbprint: <stale VCSA Root certifficate thumbprint>
              Issuer DN:CN=VMCA, C=##, ST=#####, L=#####, O=####, OU=####
              Documentation:
                      This signer isn't the current VMCA.
                      If this is a custom cert, then it is missing the full chain in the VECS entry.
                      Manually validate the certificate chain:
                      https://knowledge.broadcom.com/external/article/369297
  					
  					Replace the certificate again, but with the complete chain

• This warning can persist even if the Machine SSL certificate is correctly installed and trusted by a Custom CA.

• VMware vCenter Server 8.x
• VCF Diagnostic Tool for vSphere (VDT)

The internal solution user certificates are signed by a legacy or orphaned VMware Certificate Authority (VMCA) root that is no longer active or is missing from the `TRUSTED_ROOTS` store in VECS. This commonly occurs if the VMCA root was regenerated in the past, but the solution user certificates were not updated to match the new root.

To resolve these warnings, the solution user certificates must be replaced with certificates signed by the current active VMCA. This can be performed using the  vCert utility.

Note: Before making changes, ensure you have a valid VAMI-based backup or offline snapshots of the vCenter Server.

1. Download and install the latest vCert utility as described in vCert - Scripted vCenter Replacement.
2. Launch the utility on the vCenter Server:

   ./vCert.py

3. Navigate to Option 3: Manage certificates
4. Select Option 2: Solution User certificates
5. Choose the option Replace Solution User certificate with a VMCA-signed certificate
   
   Note: Restart VMware services is not required and can be skipped
6. Re-run VDT to verify that the `VC VECS Check` now passes for all solution users

For more information on using the diagnostic tool, refer to Using the VCF Diagnostic Tool (VDT)