When the configured Microsoft CA is an intermediate CA to another root CA in VCF 9.1, replacing component certificates will either fail or lead to issues in the component.

• vCenter certificate replacement error:
  • vc.cert.replacement.error  Certificate task REPLACE_CERTIFICATE for XXXXX has failed. Error message: vCenter Certificate replacement task failed.
Bulk Task ID: YYYYY,ReplaceCertTask ID: ZZZZZZZ. Exception: Failed to execute request PUT https://<FQDN>/api/vcenter/certificate-management/vcenter/tls with exception
{"error_type":"ERROR","messages":[{"args":["No issuer certificate for certificate in certification path found."],"default_message":
"Exception found (No issuer certificate for certificate in certification path found.)","id":"com.vmware.certificatemanagement.error"}]}


• ESX certificate replacement error:
  • esx.cert.replacement.error
Certificate task REPLACE_CERTIFICATE for 'XXXX' has failed. Error message: Unexpected error during certificate replacement for for bulkTakId = YYYY, subTaskId = ZZZZ on ESXi host XXXXX. Cannot change the host configuration.
    
    Note: The ESX cert replacement completes but the host immediately disconnects from vCenter with the error: "Authenticity of the host's SSL certificate is not verified."
    
    
• NSX certificate replacement fails with
  • certificate.upload.error
Certificate task REPLACE_CERTIFICATE for XXXX has failed. Error message: Unable to upload certificate against CSR ID YYYYY on NSX for replace certificate operation with error message : Certificate chain validation failed. Make sure a valid chain is provided in order leaf,intermediate,root certificate.. Please check VIM adapter logs and task status for more details.
    
    
• SDDC Manager replacement error
  • unexpected.response.code
Certificate task REPLACE_CERTIFICATE for 'XXXX' has failed. Error message: Failed to perform specified operation on SDDC manager. Following conditions do not match - The Certificate Chain 'YYYYYY' validation failed due to 'Signature does not match.'
    
    
• VCF Operations, VCF Networks, and VCF Automation replacement fails with the error:
  • certificate.replace.failed
Certificate task REPLACE_CERTIFICATE for <FQDN> has failed. Error message: Certificate chain is not valid.
    
    
• vIDB replacement completes, but VCF SSO becomes unavailable as a login option.
  
  
• VMSP replacement completes, but the effects are not yet known.
  
  
• VCF Management lists Log Management as an installed component but the Operate > Logs has the default Install Log Management page

VCF 9.1

This is a known issue affecting VCF 9.1 GA. VMware by Broadcom is urgently working on a fix for this.

For any certificate that has been replaced or needs to be replaced with this Microsoft CA should do so manually for now until a fix is released

1. Generate a CSR form VCF Ops UI
2. Download the CSR using Download CSRs option
3. Generate the Certificate by manually taking the CSR to the Microsoft CA to get signed. Ensure the full certificate chain is exported.
4. Import the certificates to VCF Ops using Import Certificates option.
5. Use Replace with Imported Certificates option to replace the certificate.