"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x
search cancel

"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x

book

Article ID: 330420

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • MACHINE SSL Certificate replacement with Custom Certificate fails

  • Certificate Manager logs will show errors similar to the following entries:

    YYYY-MM-DDTHH:MM:SS ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
YYYY-MM-DDTHH:MM:SS ERROR certificate-manager {
    "resolution": null,
    "problemId": null,
    "componentKey": null,
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "localized": "An error occurred while invoking external command : ''",
            "args":  
        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."
    ]
  • Log location:
    • vCenter Server Appliance - /var/log/vmware/vmcad/certificate-manager.log
    • Windows vCenter Server - %ProgramData%\VMware\vCenterServer\logs\vmca\certificate-manager.log

Environment

  • VMware vCenter Server 6.x
  • VMware vCenter Server 7.x

Cause

This issue primarily occurs if there is a mismatch in the Certificate and the Private Key used during certificate replacement.

Resolution

Verify the MD5 check against the Private Key and the Certificate files as both should match if the Private Key belongs to the same certificate.

  • Use the following commands to run the MD5 check in vCenter 6.x:
    openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5
openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5
  • In vCenter Server 7.0.x, the option -non-fips-allow needs to be added:   
    openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow
     Example: 
     
     [ ~/certs ]# openssl x509 -in ./FullChain.cer -noout -modulus | openssl md5
(stdin)= 55d84795791549fe72fc498c69f0dd2d
 [ ~/certs ]# openssl rsa -in ./vmca_issued_key.key -noout -modulus | openssl md5
(stdin)= 6b84b1c62e91dbfc6b9f9efa5d34fb86

Both output strings need to be matching, otherwise the key and certificate are not a pair. You need to use the correct Private Key file during Certificate Replacement or regenerate the Certificate by creating new Certificate Signing Request and Private Key. For more information, refer to Replacing a vCenter Machine SSL certificate with a Custom Certificate Authority Signed Certificate.


Note: Should the issue occur despite the output strings matching, contact Support by opening a support case.

Additional Information

Powered by Wolken Software