VMware Cloud Community
Christoph_TKE
Contributor
Contributor

vCenter does not accept my root certificate

Hello group,

I tried to replace the vCenter's machine SSL certificate. Got the CSR and created a new certificate by our server CA. But when I now upload the new server certificate and the CA chain, I receive an error message about the root certificate:

create trusted root chain failed: <some certificate identifier> is not a valid CA certificate. Please retry with a valid certificate chain.

The same error appears when I try to import the root certificate alone as a trusted root certificate.

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:3c:4b:36:18:59:fb:8b:28:11:5d:1a:59:3f:ab:05:84:1a:a5:dc
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
Validity
Not Before: Apr 21 15:26:29 2022 GMT
Not After : Apr 18 15:26:29 2032 GMT
Subject: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A
X509v3 Authority Key Identifier:
keyid:38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
[...]

(Stripped the lengthy bit patterns for better readability.) Does anyone know what vCenter is so picky about? The root cert works fine on dozens of other machines in a ton of different applications.

Thank you very much!

Regards,

Christoph

Reply
0 Kudos
4 Replies
scott28tt
VMware Employee
VMware Employee

I have reported your post to the moderators, asking them to move it to the area for vCenter Server.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
maksym007
Expert
Expert

Reply
0 Kudos
nulloz
Contributor
Contributor

Hi,

I got the same issue here.

Our CA is deployed everywhere. In another vCenter 8, updated from 7, CA is installed.

If I want to put this same CA in a new vCenter 8, I get the same message.

Have you found a solution?

Reply
0 Kudos
nulloz
Contributor
Contributor

I found why but I don't have a solution for my case.

The VMware documentation gives the following requirements for a CA :

- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
- x509 version 3
- The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:

basicConstraints = critical,CA:true
keyUsage = critical,digitalSignature,keyCertSign

- CRL signing must be enabled.
- Extended Key Usage can be either empty or contain Server Authentication.
- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
- Certificates with wildcards or with more than one DNS name are not supported.
- You cannot create subsidiary CAs of VMCA.

When our company's sales were generated 7 years ago, the "CA bit" was set but no "key usage" was defined :

 

 

[...]
X509v3 extensions:
   [...]
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
[...]

 

 

As a result, it is no longer possible to import it on a fresh installation (even though this same CA is installed on a vCenter 8.0.2 that has been upgrade from vCenter 7).

 

 

Reply
0 Kudos