Remove certificates with weak signature algorithms in vCenter Server

During the vCenter Server 8.0 upgrade, I was faced with the following Pre-upgrade check error and wasn’t able to continue the upgrade. As of vCenter Server 8.0, certificates with SHA-1 signature algorithms are no longer supported and must be removed or replaced with a certificate that uses SHA-2 signature algorithm.

In this post, I’ll show you the exact steps I used to resolve the issue, allowing me to complete the upgrade to vCenter Server 8.0 successfully.

Step 1

Before proceeding any further, I took a backup of vCenter Server 7.0 appliance. Then I had to replace the Machine SSL certificate that was dependent on the root certificate I was removing. Since this was only my homelab I decided to replace the certificate with one signed internally by the VMCA using the Certificate Manager, with the plan of replacing it with a new commercially signed certificate post-upgrade.

After replacing the Machine SSL and confirming vCenter 7.0 was healthy, I was ready to execute the steps outlined below to list, unpublish and delete the certificate with the weak signature algorithm that preventing the upgrade to vCenter Server 8.0.

Step 2

SSH into your vCenter Appliance as root and launch BASH shell, then change directory into “/usr/lib/vmware-vmafd/bin

cd /usr/lib/vmware-vmafd/bin

Step 3

Run the following command to list out all certificates in the VECS store, in my case it was TRUSTED_ROOTS store.

./vecs-cli entry list --store TRUSTED_ROOTS --text | less

Page through the list of certificates until you find the one you want to remove. You can see in the screenshot below this certificate matches the subject in the Pre-upgrade check error, and it uses the Signature Algorithm “sha1WithRSAEncryption

Take note of the Alias, as you will need that in the next step.

Step 4

Execute the following command to backup the certificate to a file. You will need to use the alias of the certificate you noted in the previous step.

./vecs-cli entry getcert --store TRUSTED_ROOTS --alias <Certificate-Alias> --output /tmp/oldsha1.crt

Step 5

Unpublish the certificate with the following command, you will be prompted to enter your vCenter SSO credentials to proceed.

./dir-cli trustedcert unpublish --cert /tmp/oldsha1.crt

Step 6

You may now delete the certificate using the following command. You will be prompted to verify if you wish to proceed with the operation; type “Y” to continue with the deletion.

./vecs-cli entry delete --store TRUSTED_ROOTS --alias <Certificate-Alias> 

See the screenshot below; what the steps above should resemble.

Note: In my case, the certificate in question was in the TRUSTED_ROOTS store, but the steps above should allow you to remove any certificate from any store successfully.

And that’s all there is to it! I was able to successfully upgrade to vCenter Server 8.0.

I hope you found this helpful. Feel free to comment if you have any questions.

Leave a Reply