STS Certificate Renewal Fails With VMCA_INVALID_CSR_FIELD Error In vSphere UI
Article ID: 440834
Updated On:
Products
Issue/Introduction
Renewing the Security Token Service (STS) Certificate from the vSphere UI fails with the following error:
Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.Error, VMCA_INVALID_CSR_FIELD
In the vsphere UI, we observe the following:
Environment
vCenter Server 8.x
Cause
The vCenter Certificate Authority (VMCA) rejected the Certificate Signing Request (CSR) generated during the UI workflow due to an invalid or malformed field. The VMCA_INVALID_CSR_FIELD exception confirms a x509 CSR validation failure occurred within the CSR generation process.
Resolution
Note: Please take snapshots of the vCenter before proceeding
To resolve the STS certificate renewal failure and bypass the UI-driven CSR generation engine, utilize the vCert utility:
Download the
vCertutility as per Broadcom Knowledge Base (KB385107).Transfer the utility to the vCenter Server Appliance using an SCP client to the
/tmpdirectory.Connect to the vCenter Server via SSH and log in as the
rootuser.Navigate to the
/tmpdirectory:
cd /tmpRun the
vCertutility.From the main menu, select option 3 'Manage Certificates'.
From the Manage Certificates sub-menu, select option 8 'STS signing certificates' to manage and replace the STS signing certificate.
Follow the interactive prompts to generate and apply the new STS certificate.
Once the replacement completes successfully, restart all vCenter Server services to apply the new STS certificate across the environment:
service-control --stop --all && service-control --start --all
Additional Information
Details regarding vCert Script can be found vCert - Scripted vCenter expired certificate replacement
Feedback
