I found why but I don't have a solution for my case.
The VMware documentation gives the following requirements for a CA :
- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
- x509 version 3
- The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:
basicConstraints = critical,CA:true
keyUsage = critical,digitalSignature,keyCertSign
- CRL signing must be enabled.
- Extended Key Usage can be either empty or contain Server Authentication.
- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
- Certificates with wildcards or with more than one DNS name are not supported.
- You cannot create subsidiary CAs of VMCA.
When our company's sales were generated 7 years ago, the "CA bit" was set but no "key usage" was defined :
[...]
X509v3 extensions:
[...]
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...]
As a result, it is no longer possible to import it on a fresh installation (even though this same CA is installed on a vCenter 8.0.2 that has been upgrade from vCenter 7).