vCenter root certificate expiry using Sectigo-AddTrust-External-CA-Root-Expired on May-30-2020.

Are you facing an issue with the root certificate expiry issue and your using the certificates provided SECTIGO.

This would cause the services to fail on the vCenter server we can see the below line in the log:

  • Vpxd-svcs.log:

Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint verification is not configured at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:224)]Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat May 30 10:48:38 UTC 2020

  This root is due to expire at the end of May, 2020.  Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.

What to do?

Validate the logs in the vCenter server.

  • Generate a CSR (Certificate Signing Request) on the PSC/vCenter for the certificate replacement using certificate manager.
    • VCSA – /usr/lib/vmware-vmca/bin/certificate-manager
    • Windows vCenter – C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager)

Refer below information to enter values for CSR generation

Country : Two uppercase letters only (Eg. US), the country where your company is located.
Name : FQDN of the vCenter Server
Organization : Company Name
OrgUnit : The name of your department within the organization. Example: “IT”
State : The state/province where your company is located
Locality : The city where your company is located.
IPAddress : IP Address of vCenter Server, this field is Optional
Email : Email Address
Hostname : FQDN of vCenter Server
VMCA Name : FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN)

  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller, you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

Useful links:

https://kb.vmware.com/s/article/2112277

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s