12 Replies Latest reply on May 6, 2018 4:45 AM by GregoryI

    vSphere 6.0 U3 Custom Certificates instalation error: Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name

    Wizard78 Lurker

      We have setup a testing environment to perform an upgrade from vSphere 5.5 to 6.0 U3

      Have updated one vcenter from 5.5 to 6.0 U3 and try to test custom certificates. All infrastructure servers are installed on Windows 2008 R2 Standard (Vcenter, AD/CA, SQL)

      Tried to follow this article Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277) | VMwar…


      We have created certificates template using this article as guide Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009) | VMware KB

      Creating a new template for vSphere 6.0 to use for Machine SSL and Solution User certificates

          Connecting to the CA server, you will be generating the certificates from through an RDP session.

          Click Start > Run, type certtmpl.msc, and click OK.

          In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.

          In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

          Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

          Click the General tab.

          In the Template display name field, enter vSphere 6.0 as the name of the new template.

          Click the Extensions tab.

          Select Application Policies and click Edit.

          Select Server Authentication and click Remove, then OK.

          Note: If Client Authentication exists, remove this from Application Policies as well.

          Select Key Usage and click Edit.

          Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.

          Click OK.

          Click the Subject Name tab.

          Ensure that the Supply in the request option is selected.

          Click OK to save the template.

          Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.


      On Vcenter server 6.0U3   (Embeded PSC) we run the certificat manager tool to generate CRS records, we have used option 1 and 5 as our goal is to use custom certificates.

      We followed this article to get certificates from Microsoft CA  Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014) | VMware KB

      Note: this is a simple lab environment so there is no intermediate CA only the root one on  Windows 2008R2


      We copied certificates to the new vcenter and tried to import Machine SSL certificate and got the above error

      Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name


      We tried to use san:dns=fqdn..... using attributes box from CA to specify a unique SAN but got same error


      Have attached the certtool.cfg file and certificate manager log.  Any help would be appreciated