Hello group,
I tried to replace the vCenter's machine SSL certificate. Got the CSR and created a new certificate by our server CA. But when I now upload the new server certificate and the CA chain, I receive an error message about the root certificate:
create trusted root chain failed: <some certificate identifier> is not a valid CA certificate. Please retry with a valid certificate chain.
The same error appears when I try to import the root certificate alone as a trusted root certificate.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:3c:4b:36:18:59:fb:8b:28:11:5d:1a:59:3f:ab:05:84:1a:a5:dc
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
Validity
Not Before: Apr 21 15:26:29 2022 GMT
Not After : Apr 18 15:26:29 2032 GMT
Subject: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A
X509v3 Authority Key Identifier:
keyid:38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
[...]
(Stripped the lengthy bit patterns for better readability.) Does anyone know what vCenter is so picky about? The root cert works fine on dozens of other machines in a ton of different applications.
Thank you very much!
Regards,
Christoph
I have reported your post to the moderators, asking them to move it to the area for vCenter Server.
Check following article:
https://virtualblog.nl/2020/10/26/vmware-vcenter-replace-machine-certificate-with-custom-ca/
maybe you missed something
Hi,
I got the same issue here.
Our CA is deployed everywhere. In another vCenter 8, updated from 7, CA is installed.
If I want to put this same CA in a new vCenter 8, I get the same message.
Have you found a solution?
I found why but I don't have a solution for my case.
The VMware documentation gives the following requirements for a CA :
- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
- x509 version 3
- The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:
basicConstraints = critical,CA:true
keyUsage = critical,digitalSignature,keyCertSign
- CRL signing must be enabled.
- Extended Key Usage can be either empty or contain Server Authentication.
- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
- Certificates with wildcards or with more than one DNS name are not supported.
- You cannot create subsidiary CAs of VMCA.
When our company's sales were generated 7 years ago, the "CA bit" was set but no "key usage" was defined :
[...]
X509v3 extensions:
[...]
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...]
As a result, it is no longer possible to import it on a fresh installation (even though this same CA is installed on a vCenter 8.0.2 that has been upgrade from vCenter 7).