Upgrading to vCenter Server or ESXi 8.0 requires an additional precheck. The precheck ensures that vCenter Server and ESXi are not using certificates with weak signature algorithms, such as sha1WithRSAEncryption. Certificates with weak signature algorithms are no longer supported in vSphere 8.0 in most contexts.

vCenter Server upgrades may fail during precheck with an error stating, "Support for certificates with weak signature algorithms has been removed from vCenter Server 8.0." 

Pre-Update Check Results

Error Support for certificates with weak signature algorithms has been removed in vCenter Server 8.0. The certificate with subject
'/C=##/ST=##/O=###/OU=###/CN=###/...' in VECS store TRUSTED_ROOTS has weak signature algorithm sha1WithRSAEncryption.

Resolution Replace the certificate with subject.
'...'
Caution: Verify that any certificates signed by the problematic certificate are not in use by vCenter Serer...

ESXi upgrades may fail during precheck with an error string stating, "Support for certificates with weak signature algorithm SHA-1 has been removed in ESXi 8.0." 

Host not compatible with the image

SHA-1 signature found in host certificate rui.crt(/DC=###/CN=###'). Support for certificate with weak signature algorithm SHA-1 have been removed in ESXi 8.0 To proceed with upgrade, replace it with a SHA-2 signature based certificate. Refer to release notes and KB 89424 for more details.

The signing chain for the Machine cert contains an old SHA1 certificate, and vSphere 8 does not support SHA1 security algorithm.

Standalone Precheck Script

The `vsphere8_upgrade_certificate_checks.py` Python script verifies that vCenter Server and the connected ESXi hosts are not using certificates with a weak digital signature algorithm. This is a standalone version of the same prechecks that are preformed during vCenter Server and ESXi upgrades. It can be run manually before a planned upgrade maintenance window.

The script first checks if vCenter Server has any unsupported certificates in the VECS stores. It then iterates through all of the ESXi hosts in the inventory to perform similar checks.

To run the script perform the following steps:

1. Download the `vsphere8_upgrade_certificate_checks.py` script attached to this KB.
2. Transfer the script file to a temporary folder (e.g. `/tmp`) on vCenter Server (e.g. using `scp` or `WinSCP`).
3. Login to the vCenter Server appliance using root credentials with an SSH client.
4. Execute the script using the following command:
   

   python /tmp/vsphere8_upgrade_certificate_checks.py

If any certificates with a weak signature algorithm are found, the details are printed to the console window. These issues should be resolved before proceeding with upgrade. An example output with failures is shown below.

python /tmp/vsphere8)upgrade_cerfificate_checks.py
Enter hostname [Default: localhost]:
            INFO Verifying vCenter Server VECS store: MACHINE_SSL_CERT
            INFO Verifying vCenter Server VECS store: TRUSTED_ROOTS
...
            Error #################### Errors Found ####################
            ERROR
            ERROR Support for certificates with weak signature algorithms has been removed in vSphere 8.0....Correct the following <#> issues before proceeding with upgrade....

Replacing Certificates

Note: Along with the other options for managing certs listed in the steps below, the vCert scripted CLI tool can also be used. Please make sure to take proper snapshots of the VCSA VM prior to managing any VCSA certs. If in linked mode (ELM), take offline snapshots of all linked VCSA VMs.

• Before removing any intermediate or root certs, along with the steps below, please also confirm if any 3rd party applications that connect to the vCenter, rely on the inter or root certs. If they do, you will want to get the machine and chain certs replaced for those as well, otherwise the vCenter may no longer trust those systems, breaking the connection (e.g., LDAPS server, etc.).

The vCenter Server Machine Certificate

1. Replace the vCenter Server machine certificate, and the associated root and intermediate certificates with a certificate that contains a SHA-2 digital signature by following the steps within the following linked article.
   • "Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate"
   • If desired, you can also use the REST API: Certificate management REST API

2. Push the new CA certificate(s) to the ESXi hosts using "Refresh CA Certificates" in the vSphere UI.
   • Refresh ESXi CA certificates via vSphere UI

3. Remove the old and now unused root certificate from vCenter Server.
   • vCert scripted CLI tool
   • Remove certificates using dir-cli
   • Certificate management REST API

A vCenter Server Trusted Root Certificate

If the upgrade precheck failure message indicates that a problematic certificate is present in the VECS store "TRUSTED_ROOTS", then vCenter Server has configured trusted root or intermediate certificate that must be removed or replaced before upgrade can proceed. There may be a dependency on the problematic trusted root certificates and it's important to update the dependent services before removing or replacing the certificate. Also note that the certificates that are present in the VECS store "TRUSTED_ROOTS" are pushed to all connected ESXi hosts.

Steps to replace the certificate:

1. Add a new certificate to the "TRUSTED_ROOTS" store that will replace the now unsupported certificate.
   • Add certificate via the vSphere UI:

     1. Log in with the vSphere Client to the vCenter Server.

     2. Navigate to Administration > Certificates > Certificate Management.

     3. Next to Trusted Root Store, click Add.

     4. Browse and select the location of the Trusted Root and Intermediate certificates.
        The certificate is added in a panel under Trusted Root Certificates.

   • vCert scripted CLI tool
   • Add certificates using `dir-cli trustedcert publish`
   • Certificate management REST API

2. Push the new CA certificate(s) to the ESXi hosts using "Refresh CA Certificates" in the vSphere UI.
   • Refresh ESXi CA certificates via vSphere UI

3. Ensure that any certificate signed by the unsupported certificate is removed from the vSphere environment. If a leaf certificate is found to be signed by the unsupported certificate, it must also be replaced. Consider the following cases.
   • The leaf certificate may be in use on an ESXi host.
   • The leaf certificate may be used by a VMware solution, such as vRA, vROps, SRM, NSX, etc.
   • The leaf certificate may be used by a partner solution, such as vVols or a backup solution.

4. Once the unsupported certificate is no longer in use, it may be removed from the TRUSTED_ROOTS store.
   • vCert scripted CLI tool
   • Remove certificates using dir-cli
   • Certificate management REST API

5. Push the CA certificate changes to the ESXi hosts using "Refresh CA Certificates" in the vSphere UI.
   • Refresh ESXi CA certificates via vSphere UI

VMCA is Acting as a Subordinate CA

If the upgrade precheck failure message indicates that a problematic certificate is related to certs in VMCA sub-ca chain, follow the steps in the following linked article.

• "vCenter 8.0 Upgrade Fails Due to SHA1 Signature Algorithm in certificate chain when VMCA is a sub CA"

vCenter Server BACKUP_STORE Certificate

If the upgrade precheck failure message indicates that a problematic certificate is present in the VECS store "BACKUP_STORE", then the certificate can be safely removed using one of the methods below.

• vCert scripted CLI tool
• Remove the certificate using `vecs-cli`

The ESXi Server TLS Certificate (rui.crt)

The ESXi TLS certificate is managed by vCenter Server by default, however administrators may choose to manually assign a certificate. If the current TLS certificate contains a weak digital certificate, then a new certificate must be issued. Note that this certificate is stored in a file name "rui.crt" which may be displayed in the upgrade precheck error messages.

• Issue a VMCA signed TLS certificate for ESXi using the vSphere UI
• Issue a custom TLS certificate for ESXi

The ESXi Server Certificate Store (castore.pem)

If the upgrade precheck failure message indicates that a problematic certificate is related to ESXi certs, follow the steps in the following linked article.

• "vCenter 8.0 Upgrade Fails Due to SHA1 Signature Algorithm in ESXi certificate chain when ESXi using custom CA certs"

vVols (Virtual Volumes)

If the upgrade precheck failure message indicates that a problematic certificate is related to vVols (VASA) certs, follow the steps in the following linked article.

• "vCenter 8.0 Upgrade Fails Due to SHA1 Signature Algorithm in SMS Certificate"

If using Sectigo custom CA certs, consider the following article.

• "Sectigo custom Machine SSL cert - Remove old SHA1 cert from signing chain"