Adding KMS certificate chain for KMS server to set up trust between vCenter and KMS
search cancel

Adding KMS certificate chain for KMS server to set up trust between vCenter and KMS

book

Article ID: 313293

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article is intended to provide a workaround to add a KMS certificate chain for KMS sever to setup trust between vCenter and KMS.

Symptoms:
Key Management Server (KMS) cannot be connected on vCenter.

Environment

VMware vCenter Server 6.7.x

Cause

When using general vCenter UI option “Trust the certificate” it will save only the ‘Leaf Cert’ into the KMS_ENCRYPTION store.

Resolution

Currently there is no resolution to the issue.

Workaround:

To workaround the issue, please follow the below mentioned steps:

  1. Make sure the whole KMS certificate chain is not added in vCenter by one alias, if yes, follow the below steps to delete it:

i) List certificates in the KMS cluster.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store KMS_ENCRYPTION
then, get the alias of the added KMS certificates chain.

ii) Delete the added certificates chain

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store KMS_ENCRYPTION --alias <the alias of the added KMS certificate chain>

  1. Add KMS certificate in the chain one by one.

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store KMS_ENCRYPTION --alias <the alias of a certificate> --cert cert.txt
where the alias format is mostly the same as the existing alias. User only needs to modify the index and select the unused index.

Example:  In KMS cluster eTPC-KMS-KeyProvider, if the greatest index is 2 in alias (Example trustedCert_2-eTPC-KMS-KeyProvider), then the user can add the first certificate in the chain using trustedCert_3-eTPC-KMS-KeyProvider alias, add the second certificate in the chain using trustedCert_4-eTPC-KMS-KeyProvider, and so on. cert.txt stores the KMS certificate to be added.

  1. The logic will go through all the entries, in case some KMS certificate is missing from store, it will appear in the error log as : "GetEntryByAlias (alias trustedCert_15-eTPC-KMS-KeyProvider from store ID 14) returned error: 4312". This can be ignored.