Title: Error "Extra certificates are present in the certificate file which don't belong to the chain" when replacing certificates in VCF Operations
Article ID: 439877
Updated On:
Products
Issue/Introduction
When attempting to replace custom CA-signed certificates through the VCF Operations admin portal, the certificate validation fails with the following error: "Extra certificates are present in the certificate file which don't belong to the chain."
Environment
VCF Operations 9.x
Cause
This error is caused by an incorrect certificate chain in the PEM file. VCF Operations performs a strict validation of the certificate chain and expects the file to be in a specific format. If the PEM file contains certificates that are not part of the direct path from the leaf to the root, or if the order is incorrect, the validation will fail.
Resolution
To resolve this issue, you must verify and correct the certificate chain.
Use the vropsCertificateTool.py script to analyze the certificate PEM file. This tool helps identify mismatches or missing links in the intermediate issuer chain.
Refer to Troubleshooting certificate replacement in VMware Aria Operations using vropsCertificateTool.py (333948) for detailed steps on using the tool.
The finished PEM file should look similar to the following example, where the number of CERTIFICATE sections depends on the length of the issuing chain:-----BEGIN CERTIFICATE-----(Your Primary SSL certificate: your_domain_name.crt)-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----(Your Private Key: your_domain_name.key)-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----(Your Intermediate certificate: DigiCertCA.crt)-----END CERTIFICATE----------BEGIN CERTIFICATE-----(Your Root certificate: TrustedRoot.crt)-----END CERTIFICATE-----
Ensure the private key is decrypted and matches the leaf certificate.
Once the PEM file is corrected and verified by the tool, retry the certificate replacement through the VCF Operations admin portal.
Feedback
