Configuring Microsoft Certificate Authority (CA) in the Fleet Management fails with the following error:

Certificate Authorities update failed

On the Fleet Management appliance, the log /var/log/vrlcm/vmware_vrlcm.log contains the following exception message indicating certificate validation failure:

ERROR vrlcm[1301] [http-nio-8080-exec-3] [c.v.v.l.l.c.MSCARestClient]-- Exception occurred while trying to validate Microsoft CA
org. springframework.web.client.ResourceAccessException: I/0 error on GET request for "https://Microsoft CA_FQDN/certsrv": Certificate for <Microsoft CA_FQDN> doesn't match any of the subject alternative names: []; nested exception is javax. net. ssl. SSLPeerUnverifiedException: Certificate for <Microsoft CA_FQDN> doesn't match any of the subject alternative names: []

VCF Operations 9.0.x

This issue is caused by two certificate validation failures:

• The Microsoft CA Root certificate validity has expired.
• Hostname mismatch; the configured Microsoft Certificate Authority Fully Qualified Domain Name does not match the Subject Alternative Name(SAN) present on the certificate.

Strict SSL/TLS verification requires that the endpoint presents a valid, unexpired certificate and that the hostname requested exactly matches a SAN entry on that certificate.

To resolve this issue, the underlying certificate must be renewed and the configuration update to match the correct hostname.

1. Log in to the Microsoft Certificate Authority server.
2. Renew the expired Microsoft CA Root certificate.
3. Review the newly generated certificate and verify Subject Alternative Name (SAN) field.
4. Return to the Fleet Management.
5. Reconfigure the CA using the SAN name defined in the new certificate.
6. Save the configuration.