Error: Not a CA Cert while replacing VMCA root Certificate with Custom CA Signing Certificate
search cancel

Error: Not a CA Cert while replacing VMCA root Certificate with Custom CA Signing Certificate

book

Article ID: 327833

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

 
  • Replacing VMCA root Certificate with Custom CA Signing Certificate using Certificate Manager Utility fails with error:

    Error: 70011, VMCAAddRootCertificatePrivate () failedStatus : Failed
    Error Code : 70011
    Error Message : Not a CA Cert

 

  • In the /var/log/vmware/vmcad/certificate-manager.log file, you may observe entries similar to the following:”

    YYYY-MM-DDT<time> INFO certificate-manager Replacing Root Cert using Custom CA...
    YYYY-MM-DDT<time> INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/tmp/root_signing_chain.cer', '--privkey', '/tmp/vmca_issued_key.key', '--server', 'localhost']
    YYYY-MM-DDT<time> INFO certificate-manager Command output :-
    Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
    Error Code : 70011
    Error Message : Not a CA Cert
    YYYY-MM-DDT<time> ERROR certificate-manager Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
    Error Code : 70011
    Error Message : Not a CA Cert
    YYYY-MM-DDT<time> ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
    YYYY-MM-DDT<time> ERROR certificate-manager {
    "resolution": null,
    "detail": [
    {
    "args": [
    "Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed\nError Code : 70011\nError Message : Not a CA Cert\n"
    ],
    "id": "install.ciscommon.command.errinvoke",
    "localized": "An error occurred while invoking external command : 'Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed\nError Code : 70011\nError Message : Not a CA Cert\n'",
    "translatable": "An error occurred while invoking external command : '%(0)s'"
    },
    "Error while performing certool rootca command"
    ],
    "componentKey": null,
    "problemId": null
    }
    YYYY-MM-DDT<time> INFO certificate-manager Performing rollback of Root Cert...</time>
  • Running the below openssl command against the certificate returns CA:FALSE:

    openssl x509 -in root_signing_cert.cer -text -noout | grep CA\:

Cause

This issue occurs when the certificate provided by the certificate authority is not a CA certificate. 

Resolution

Request and generate a new certificate from the certificate authority with the CA extension set to TRUE.

Additional Information

Powered by Wolken Software