VMware Cloud Community
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Generate vCenter certificate using my own CA

Hello.

I have been trying to generate certificates from my own test lab, for the vCenter servers.

When I try to import the certificate I get this error

error 9 at 0 depth lookup:certificate is not yet valid

Error in verifying certificate: m_ca.cer

There is no problem with the time on the CA, or vCenter server or esxi hosts.

The vCenter deployment is not embedded. PCSs and vCenters servers are running on they own servers. I use the vCenter appliance, not windows.

This is the way I tried to generate and import the certificate

Replace your vCenter vSphere 6.5 Certificates using your own CA - YouTube

My domain is <domain-name>.local

I do not think that this should be a problem.

Any tips much appreciated.

Best regards!

Reply
0 Kudos
1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal
Jump to solution

That's what a root CA is supposed to look like. In looking at your machine cert, it says it isn't valid until starting today, so did you generate it today or was this the same one you couldn't get installed when you opened this thread? If so, then the error message was telling you all you needed to know: the certificate isn't yet valid.

View solution in original post

Reply
0 Kudos
9 Replies
daphnissov
Immortal
Immortal
Jump to solution

Please show the certificate details after generation by opening it in the Microsoft tool. Also, what signing algorithm are you using? If it's SHA-1 like the video shows, highly recommend you go through the steps again and choose a stronger algorithm. SHA-1 is now untrusted by many browsers.

Reply
0 Kudos
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Hello daphnissov.

Thank you for your replay.

About the video, yes I used the same steps.

When it comes to the certificate details, would you like me to post this section of the certificate? - see attached picture.

Best regards.!

Reply
0 Kudos
daphnissov
Immortal
Immortal
Jump to solution

Yes, show the details of the generated cert.

Reply
0 Kudos
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Hello.

Here are the m-ca.cer and root-ca.cer

Best regards!

Reply
0 Kudos
daphnissov
Immortal
Immortal
Jump to solution

Show the General tab as well.

Reply
0 Kudos
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Hi.

Attached, for both of them.

I think the problem could be with the root CA. It looks like it is generate for the CA server itself.

Best regards!

Reply
0 Kudos
daphnissov
Immortal
Immortal
Jump to solution

That's what a root CA is supposed to look like. In looking at your machine cert, it says it isn't valid until starting today, so did you generate it today or was this the same one you couldn't get installed when you opened this thread? If so, then the error message was telling you all you needed to know: the certificate isn't yet valid.

Reply
0 Kudos
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Hello.

Smiley Happy

It was generated yesterday.

Smiley Happy

I will give it a try, again.

Reply
0 Kudos
alex_vsphere
Enthusiast
Enthusiast
Jump to solution

Yes, it does work. I missed the date thing.

Thank you for pointing that out.

Smiley Happy

Reply
0 Kudos