VMware vCenter Certificate Automation Tool 5.5 Error

Yesterday I was updating the SSL certificates of a vCenter 5.5 deployment with the VMware vCenter Certificate Automation Tool 5.5 and ran into an annoying error :

vCenter Certificate
Oh great “errorlevel is 1” no further information no nothing… So after double checking everything from DNS to the certificate requests it was time for some Google voodoo.

Because this wasn’t my first rodeo with SSL certificates for VMware products and I knew that the requests were OK, I could focus on the PKI. During my search I came across the blog post of Sean Massey (link) stating :

Note: If you use the walkthrough to set up your PKI environment, you will need to alter the configuration file to remove the AlternateSignatureAlgorithm=1 line. This feature does not appear to be supported on vCenter and can cause errors when importing certificates.

So then I compared the settings of the current PKI with one were it did work and voila the AlternateSignatureAlgorithm did had the setting 1 on the not working side.

Luckily this is quite easy to change by editing the registry on the issuing CA. Look for the following value :


And set it to 0. If you remove this value completely it uses the default setting and that is 1. So be sure to set it to 0! Also when the value is not there just create the value and set it to 0.

Restart your issuing CA (better safe then sorry) and resubmit your certificate requests and follow the procedure for updating the vCenter SSL certificates again and behold :

vCenter Certificates

No more errors and the SSL certificate update completed successfully!

Some background information about the AlternateSignatureAlgorithm value (link).

Marco van Baggum

Marco works as a Staff Consulting Architect at VMware. Want to learn more about Marco? Check out Marco's About page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.