VMware vSphere

 View Only
Expand all | Collapse all

Replacing Machine SSL Certificate

  • 1.  Replacing Machine SSL Certificate

    Posted Nov 13, 2024 05:15 PM

    Hi there!  We have an SSL cert issued by GoDaddy that I'm certain is SHA256: 

    However, I get an error when applying this cert that it uses a weak signature algorithm and isn't supported. 

    "[CERTIFICATE] Replace cert Failed: Exception found (Certificate uses a weak signature algorithm - SHA1WITHRSA. Only SHA-2 RSA algorithms are supported on the vCenter Server.)"

    Has anyone else run into this issue or have any guidance for me?



  • 2.  RE: Replacing Machine SSL Certificate

    Broadcom Employee
    Posted Nov 14, 2024 08:24 AM

    Hello John,

    Could you please validate the Signature algorithm of the other certs in the chain? (Intermediate / root cert)

    Regards,

    Navin A




  • 3.  RE: Replacing Machine SSL Certificate

    Posted Nov 14, 2024 09:01 AM

    All certificates in the chain use the "sha256RSA" algorithm and sha256 hash as shown in the screenshot.




  • 4.  RE: Replacing Machine SSL Certificate

    Broadcom Employee
    Posted Nov 14, 2024 10:35 AM

    The provided screenshot is from the Machine cert. 
    The error would be seen if any cert in the chain has a SHA1. Could you please check the signature algorithm of the intermediate and root cert




  • 5.  RE: Replacing Machine SSL Certificate

    Posted Nov 14, 2024 10:40 AM

    I did, this is what I meant by "all certificates in the chain," but I can provide screenshots of the others if that would help confirm.




  • 6.  RE: Replacing Machine SSL Certificate

    Posted Nov 19, 2024 10:58 AM

    Hi, I have the same problem. I think it is the thumbprint that uses sha1. 

    Think we need new root-chain-certs.

    /Jonas




  • 7.  RE: Replacing Machine SSL Certificate

    Posted Nov 20, 2024 03:06 PM

    Hello,

    I have the same problem. And there is a hidden cert in the chain from godaddy. Open gd_bundle-g2-g1.crt in notpad++ and you will see 3 certs. the last one is signed with sha1 :-(




  • 8.  RE: Replacing Machine SSL Certificate

    Posted Nov 20, 2024 03:06 PM

    yes




  • 9.  RE: Replacing Machine SSL Certificate

    Posted Nov 20, 2024 03:06 PM

    yes




  • 10.  RE: Replacing Machine SSL Certificate

    Posted Nov 20, 2024 03:06 PM
      |   view attached




  • 11.  RE: Replacing Machine SSL Certificate

    Posted Dec 06, 2024 02:03 PM
    Edited by John Davidson Dec 06, 2024 02:03 PM

    Oh I see what you did, you're right.... Bummer!  I'm seeing the same thing on mine as well.




  • 12.  RE: Replacing Machine SSL Certificate

    Posted Jan 10, 2025 10:10 AM

    Hello. How did you get around this issue? I have the same problem using InCommon (Sectigo).




  • 13.  RE: Replacing Machine SSL Certificate

    Posted Jan 13, 2025 09:54 AM

    For us Sectigo users, I found the solution on their site: https://www.sectigo.com/faqs/detail/VMware-Center-Certificate-does-not-accept-the-SHA-1-root-certificate/kA0Uj0000002rBV

    It has to do with replacing the root cert section, which was reporting as SHA1. Once I used the solution in the link, the cert worked.




  • 14.  RE: Replacing Machine SSL Certificate

    Posted Jan 23, 2025 01:28 PM

    Thanks for this, Marc. This helped me fix this issue on our vCenter install. I used the certificate provided in the Sectigo article you linked to and replaced the first of three certificates in the Sectigo intermediate certificate they provide with new SSL certs ("Issuing CA certificates only: as Root/Intermediate(s) only, PEM encoded"), and was finally able to get a working SSL certificate in vCenter.




  • 15.  RE: Replacing Machine SSL Certificate

    Posted Jan 23, 2025 04:40 PM

    My pleasure. We've got to stick together with this stuff!