VMware Cloud Community
Sachchidanand
Expert
Expert
Jump to solution

Error, certificate failed to replace

Hi,

I am having vSphere Client version 6.7.0.42000. Now unable to replace certificate also it's not a wild certificate.

I am also not able to find certificate-manager.log file.

BR

Sachchidanand

Reply
0 Kudos
1 Solution

Accepted Solutions
Sachchidanand
Expert
Expert
Jump to solution

Hi,

I managed to change the PNID of the vCenter, after that certificate is successfully replaced.

Thanks.

BR

Sachchidanand

View solution in original post

Reply
0 Kudos
11 Replies
daphnissov
Immortal
Immortal
Jump to solution

You're going to have to provide lots more information than this if you want help.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
Jump to solution

how you are replacing certificates, browser or certificate manager?

what certificate you are replacing? is it vcenter or psc?

please provide details so that we can help you further..

thanks,

MS

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Thanks for the reply.

I am reading the doc "how to ask".

I am using GUI to replace the SSL Certificate for the vCenter or the Machine certificate.

Also what else you required, please let me know.

BR

Sachchidanand

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Thanks for the reply.

I am using GUI to replace the SSL Certificate for the vCenter or the Machine certificate.

Also what else you required, please let me know.

BR

Sachchidanand

Reply
0 Kudos
daphnissov
Immortal
Immortal
Jump to solution

Let's start with

  • What error do you get when you attempt to replace it?
  • Is it the machine certificate? Something else?
  • How did you generate the certificate?

In the future, please lead with this information. Basic info like this, when missing, just causes people to ask for these details.

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Thanks for your prompt reply.

Find below the answer inline :

What error do you get when you attempt to replace it?  -- Error, certificate failed to replace

Is it the machine certificate? Something else?  -- Yes, it's a machine certificate. I am using GUI to replace the certificate.

How did you generate the certificate?  -- I got the certificate from public CA.

First i uploaded the root certificate to Trusted Root Certificate(successful), then make a chain of cert + intermediate cert + root cert and then uploaded it along with private key to the __MACHINE_CERT which giving error "Error, certificate failed to replace"

Let me know for more info.

BR

Sachchidanand

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
Jump to solution

we need to check the webclient logs during the operation and based on that logs,we need to investigate further.. Unfortunately, there is no straight answer to this..

Am confused on this part then make a chain of cert + intermediate cert + root cert

I assume you have have uploaded the chain to trusted roots so I dont think this is required here.. just upload only machine ssl and key to check if that helps

thanks,

MS

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Hi,

I have uploaded both the intermediate and root certificate to the trusted root. Now i am replacing with only machine cert and key, still the same error.

Also how can i get the desired logs?

BR

Sachchidanand

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
Jump to solution

logs for the webclient would be under /var/log/vmware/vsphere-ui/logs on vcsa.. you can use winscp to copy to your local desktop and upload it here please

thanks,

MS

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Hi,

Thanks for your reply.

It's failed due to mismatch of SAN in old and in new certificate as per logs " The certificate's common name or SAN is not same as its PNID.".

I checked using the following article VMware Knowledge Base and found that PNID of the vcenter is the IP address of the vcenter and old certificate contains IP, email ID and FQDN as SAN, while in new certificate SAN contains FQDN.

So now is there any way to replace the cert?

BR

Sachchidanand

Reply
0 Kudos
Sachchidanand
Expert
Expert
Jump to solution

Hi,

I managed to change the PNID of the vCenter, after that certificate is successfully replaced.

Thanks.

BR

Sachchidanand

Reply
0 Kudos