VCenter Server Certificate Change

Teparky · ‎08-06-2020

Hi All,

I hope everyone in the community is keeping safe during these changing times.

I am currently experiencing an issue with my VCenter Server 7.0 that I have deploy in my Environment. I am attempting to change the Machine_Cert with one that is signed by my internal certificate auth. Every time I attempt to change the certificate I get the following error 'Error occurred while fetching tls: Exception found (Invalid input certificate : DNS in Subject Alternative Name is not correct. DNS Name must contain machine FQDN.).

I have made sure that I am including the vcenter server hostname in the Subject Alternative Name so should all be working as expected.

CN = 172.16.0.30

Subject Alternatives that are included

DNS = vcserver.domain.local

DNS = vcserver

When I run the following command I get the output of 172.26.0.30 from my server.

'root@vcserver [ ~ ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost'

172.26.0.30

I have also compared the currently used Subject Alternatives to what is in my new certificate and these are the same. Has anyone seen this issue before or able to help out with fixing the issue?

Any suggestions would be appreciated.

Regards,

Tom

msripada · ‎08-07-2020

I believe your vcenter machine is deployed with ip deployment

if there is an IP deployment, the PNID is set as IP address. You have two options

1.Change pnid to FQDN instead of ip and replace with same cert - Changing your vCenter Server's FQDN - VMware vSphere Blog

2. Include ip address in Subject alternative name and proceed to change cert (keeping pnid as ip)

thanks,

MS

burchell99 · ‎03-23-2023

I dont think you can include the short name as a SAN. I have come accross the same problem

CN was FQDN

SANs included IP and shortname

Removed SANs as not essential for us