Hello

Not making much progress replacing the vCenter self signed certificates - using hybrid method, so only looking to update the ssl cert for web interface..  We are using our own CA.

So method we have used:

1. Used certificate-manager option 1 / option 1 to get a default .csr and .key file.  We did this so vCenter generated the private key.
2. Then used OpenSSL to create the real csr.  We created out own req.config with the cert info and used:
   openssl req -new -key vmca_issued_key.key -out vcenter.csr -config req.conf
3. Took vcenter.csr to our CA and issued a certificate.  NB: This CA has a intermediate certificate.
4. We exported RootCA.cer and IntermediateCA.cer certs and created a full machine chain:
   copy vcenter.cer+IntermediateCA.cer+RootCA.cer machine_chain.cer
5. Back on vCenter used certificate-manager option 1 / option 2 to import new certs:
   custom certificate for machine ssl: machine_chain.cer
   custom key for machine ssl: vmca_issued_key.key
   signing certificate of the machine ssl: RootCA.cer
   
6. This is where we are seeing errors.

error 20 at depth lookup:unable to get local issuer certificate

Error verifying certificate: machine_chain.cer

Googled around and it was suggested that the signing cert needed intermediate and root, so did copy IntermediateCA.cer+RootCA.cer inter_and_root_chain.cer and used this cert for signing certificate of the machine ssl.  This time got a different error:

error 51 at 0 depth lookup:unsupported name constraint type

Error in verifying certificate: machine_chain.cer

Does anyone have any suggestions or come across this?

Thanks