VMware Cloud Community
adamwms
Enthusiast
Enthusiast
‎10-04-2021 10:43 AM

error replacing Machine SSL Certificate


1. I log into freshly deployed vSphere Client 7.0 Web GUI: https://myvsphereclient.mydomain.co.uk/ui/
2. Go to Administration -> Certificates -> Certificate Management -> Machine SSL Certificate -> Actions -> Import and Replace Certificate
3. Choose "Replace with external CA certificate (requires private key)" -> NEXT
4. Browse to and upload our wildcard multidomain SAN certificate files issued by Sectigo. We happily use the same certificate for dozens of subdomains in dozens of different places including https://www.matrixscience.com
5. Machine SSL Certificate -> cert.crt
6. Chain of trusted root certificates -> ssl-bundle.crt
7. Private Key -> keyfile.key
8. Click REPLACE

"Error occurred while fetching tls: Invalid input certificate : The Subject of the provided certificate does not contain the correct CN value"

Same error when uploading files in .pem format.

What is it complaining about?

How to fix it i.e. replace self signed default SSL certificate with our own (without issuing a brand new certificate)?

0 Kudos
5 Replies
alantz
Enthusiast
Enthusiast
‎10-04-2021 10:54 AM

https://kb.vmware.com/s/article/2112277

VMWare does not support wildcards. What I did is just use our internal CA to create my certificate.

--Alan

 

 

0 Kudos
dturrentine
Contributor
Contributor
‎02-07-2023 12:05 PM

Slight edit: from the KB article: "VMware does not support the use of wildcard certificates on the vCenter Server." (https://kb.vmware.com/s/article/2112277)

 

However, stand alone ESXI servers *do* support the use of wildcard certs.

https://kb.vmware.com/s/article/56441

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-122A4236-9696-4E1...

 

 

maksym007
Expert
Expert
‎02-07-2023 12:35 PM

My first time was also very nervous 🙂 I did not change it properly

maksym007
Expert
Expert
‎02-07-2023 01:04 PM

Check also this article

https://virtualblog.nl/2020/10/26/vmware-vcenter-replace-machine-certificate-with-custom-ca/ 

Maybe you missed something

0 Kudos
bharsh
Contributor
Contributor
‎06-21-2023 10:08 AM

Thanks for that clarification re: esxi vs vcenter.  I first did all my esxi hosts, got them secured, and only vcenter was annoying me and I spent the better part of a day manually setting/copy certs, failing at the GUI, discovering the /usr/lib/vmware-vmca/bin/certificate-manager, finally hitting the "no wildcards" error string... which made zero sense since I'd just used wildcards on the very host vcenter is running on. So annoying.

0 Kudos