Yesterday I was updating the SSL certificates of a vCenter 5.5 deployment with the VMware vCenter Certificate Automation Tool 5.5 and ran into an annoying error :
1 2 3 4 |
[.] The supplied certificate chain is valid. [13/08/2015 - 19:08:45.14]: Last operation update Inventory Service SSL certificate failed : [13/08/2015 - 19:08:45.15]: Cannot determine if Inventory Service is registered with Single Sign-On - errorlevel is 1 |
Oh great “errorlevel is 1” no further information no nothing… So after double checking everything from DNS to the certificate requests it was time for some Google voodoo.
Because this wasn’t my first rodeo with SSL certificates for VMware products and I knew that the requests were OK, I could focus on the PKI. During my search I came across the blog post of Sean Massey (link) stating :
Note: If you use the walkthrough to set up your PKI environment, you will need to alter the configuration file to remove the AlternateSignatureAlgorithm=1 line. This feature does not appear to be supported on vCenter and can cause errors when importing certificates.
So then I compared the settings of the current PKI with one were it did work and voila the AlternateSignatureAlgorithm did had the setting 1 on the not working side.
Luckily this is quite easy to change by editing the registry on the issuing CA. Look for the following value :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm
And set it to 0. If you remove this value completely it uses the default setting and that is 1. So be sure to set it to 0! Also when the value is not there just create the value and set it to 0.
Restart your issuing CA (better safe then sorry) and resubmit your certificate requests and follow the procedure for updating the vCenter SSL certificates again and behold :
No more errors and the SSL certificate update completed successfully!
Some background information about the AlternateSignatureAlgorithm value (link).