vCenter

 View Only
  • 1.  vCenter does not accept my root certificate

    Posted Feb 07, 2023 01:29 PM

    Hello group,

    I tried to replace the vCenter's machine SSL certificate. Got the CSR and created a new certificate by our server CA. But when I now upload the new server certificate and the CA chain, I receive an error message about the root certificate:

    create trusted root chain failed: <some certificate identifier> is not a valid CA certificate. Please retry with a valid certificate chain.

    The same error appears when I try to import the root certificate alone as a trusted root certificate.

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    03:3c:4b:36:18:59:fb:8b:28:11:5d:1a:59:3f:ab:05:84:1a:a5:dc
    Signature Algorithm: sha512WithRSAEncryption
    Issuer: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
    Validity
    Not Before: Apr 21 15:26:29 2022 GMT
    Not After : Apr 18 15:26:29 2032 GMT
    Subject: C = DE, ST = Berlin, L = Berlin, O = TK Aufz\C3\83\C2\BCge GmbH, OU = Service24, CN = Root CA, emailAddress = dach.dtxsupport@tkelevator.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public-Key: (4096 bit)
    Modulus:
    [...]
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Key Identifier:
    38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A
    X509v3 Authority Key Identifier:
    keyid:38:1F:FC:F2:E4:FE:7B:FF:3B:F5:4F:B8:23:8E:85:5B:35:B1:62:2A

    X509v3 Basic Constraints: critical
    CA:TRUE
    Signature Algorithm: sha512WithRSAEncryption
    [...]

    (Stripped the lengthy bit patterns for better readability.) Does anyone know what vCenter is so picky about? The root cert works fine on dozens of other machines in a ton of different applications.

    Thank you very much!

    Regards,

    Christoph



  • 2.  RE: vCenter does not accept my root certificate

    Posted Feb 07, 2023 02:12 PM

    I have reported your post to the moderators, asking them to move it to the area for vCenter Server.



  • 3.  RE: vCenter does not accept my root certificate

    Posted Feb 07, 2023 08:37 PM


  • 4.  RE: vCenter does not accept my root certificate

    Posted Sep 30, 2023 07:43 PM

    Hi,

    I got the same issue here.

    Our CA is deployed everywhere. In another vCenter 8, updated from 7, CA is installed.

    If I want to put this same CA in a new vCenter 8, I get the same message.

    Have you found a solution?



  • 5.  RE: vCenter does not accept my root certificate

    Posted Oct 01, 2023 12:54 PM

    I found why but I don't have a solution for my case.

    The VMware documentation gives the following requirements for a CA :

    - Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
    - PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
    - x509 version 3
    - The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:

    basicConstraints = critical,CA:true
    keyUsage = critical,digitalSignature,keyCertSign

    - CRL signing must be enabled.
    - Extended Key Usage can be either empty or contain Server Authentication.
    - No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
    - Certificates with wildcards or with more than one DNS name are not supported.
    - You cannot create subsidiary CAs of VMCA.

    When our company's sales were generated 7 years ago, the "CA bit" was set but no "key usage" was defined :

     

     

    [...]
    X509v3 extensions:
       [...]
                X509v3 Basic Constraints:
                    CA:TRUE
        Signature Algorithm: sha256WithRSAEncryption
    [...]

     

     

    As a result, it is no longer possible to import it on a fresh installation (even though this same CA is installed on a vCenter 8.0.2 that has been upgrade from vCenter 7).