We have setup a testing environment to perform an upgrade from vSphere 5.5 to 6.0 U3
Have updated one vcenter from 5.5 to 6.0 U3 and try to test custom certificates. All infrastructure servers are installed on Windows 2008 R2 Standard (Vcenter, AD/CA, SQL)
We have created certificates template using this article as guide Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009) | VMware KB
Creating a new template for vSphere 6.0 to use for Machine SSL and Solution User certificates
Connecting to the CA server, you will be generating the certificates from through an RDP session.
Click Start > Run, type certtmpl.msc, and click OK.
In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
Click the General tab.
In the Template display name field, enter vSphere 6.0 as the name of the new template.
Click the Extensions tab.
Select Application Policies and click Edit.
Select Server Authentication and click Remove, then OK.
Note: If Client Authentication exists, remove this from Application Policies as well.
Select Key Usage and click Edit.
Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.
Click the Subject Name tab.
Ensure that the Supply in the request option is selected.
Click OK to save the template.
Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.
On Vcenter server 6.0U3 (Embeded PSC) we run the certificat manager tool to generate CRS records, we have used option 1 and 5 as our goal is to use custom certificates.
We followed this article to get certificates from Microsoft CA Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014) | VMware KB
Note: this is a simple lab environment so there is no intermediate CA only the root one on Windows 2008R2
We copied certificates to the new vcenter and tried to import Machine SSL certificate and got the above error
Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name
We tried to use san:dns=fqdn..... using attributes box from CA to specify a unique SAN but got same error
Have attached the certtool.cfg file and certificate manager log. Any help would be appreciated