In vCenter 7.0.3, I added a custom machine SSL certificate (server cert only) a while back, along with our CA Root cert chain (intermediate and root combined, intermediate on the top) and it's been showing as valid ever since. Our security team recently notified me that the full certificate chain (Machine --> Intermediate) is not being served or is incomplete. The browser (Firefox) shows both the server certificate and the intermediate, which is expected. However, using the sslyze utility to scan it, results show only the server certificate in the chain. Other unrelated systems show the server cert and intermediate as "our.server.com --> Our Intermediate Issuing Org CA" when scanned using sslyze, as a comparison.
To remedy this:
First, I tried to append our intermediate certificate to the server certificate (server cert on top, intermediate on the bottom) and then tried running certificate manager from the CLI in vCenter to replace the existing machine SSL cert using that new .crt file and the original key and CA chain... but I got a message saying it failed since the thumbprint and serial number are the same as the existing certificate (the certificate used is still valid, I'm only trying to complete the chain presentation by adding the intermediate to the server cert... so I copied out the existing server cert locally, updated/appended it with the intermediate, then copied it back to a temp folder on the VCSA).
Second, since that hadn't worked, I tried to replace the machine-ssl.crt file directly in /var/lib/vmware/vmafdd_data with the one that has both the server cert and the intermediate (I restarted all services after), but that doesn't work either (though it didn't break anything, which is good).
The cert still shows as valid in the browser (like nothing changed), but I need to ensure it is serving the full chain (at least with the intermediate cert, not the CA root). I'll need to do this for other vCenters also. How do I correct this?