"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x
search cancel

"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x

book

Article ID: 330420

calendar_today

Updated On: 02-26-2025

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • MACHINE SSL Certificate replacement with Custom Certificate fails

  • Certificate Manager logs will show errors similar to below entries:

    YYYY-MM-DDTHH:MM:SS ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
YYYY-MM-DDTHH:MM:SS ERROR certificate-manager {
    "resolution": null,
    "problemId": null,
    "componentKey": null,
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "localized": "An error occurred while invoking external command : ''",
            "args":  
        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."
    ]

Log location:

vCenter Server Appliance - /var/log/vmware/vmcad/certificate-manager.log

Windows vCenter Server - %ProgramData%\VMware\vCenterServer\logs\vmca\certificate-manager.log


Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

 

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x

Cause

This issue primarily occurs if there is a mismatch in the Certificate and the Private Key used during certificate replacement.

Resolution

To resolve this issue, verify the MD5 check against the Private Key and the Certificate files, both should match if the Private Key belongs to the same certificate.

  • Use the following commands to run the MD5 check in vCenter 6.x:

# openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5

# openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5

  • In vCenter Server 7.0.x, the option -non-fips-allow needs to be added:  

​​​​​​​# openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow

 Example: 

 [ ~/certs ]# openssl x509 -in ./FullChain.cer -noout -modulus | openssl md5
(stdin)= 55d84795791549fe72fc498c69f0dd2d
 [ ~/certs ]# openssl rsa -in ./vmca_issued_key.key -noout -modulus | openssl md5
(stdin)= 6b84b1c62e91dbfc6b9f9efa5d34fb86

Both output strings need to be matching, otherwise the key and certificate are not a pair. You need to use the correct Private Key file during Certificate Replacement or regenerate the Certificate by creating new Certificate Signing Request and Private Key. For more information, please refer to Replacing a vCenter Machine SSL certificate with a Custom Certificate Authority Signed Certificate.


Note: Should the issue occur despite the output strings matching, please contact Support by opening a support case.

 

Additional Information

Powered by Wolken Software