During the vCenter Server 8.0 upgrade, I was faced with the following Pre-upgrade check error and wasn’t able to continue the upgrade. As of vCenter Server 8.0, certificates with SHA-1 signature algorithms are no longer supported and must be removed or replaced with a certificate that uses SHA-2 signature algorithm.
In this post, I’ll show you the exact steps I used to resolve the issue, allowing me to complete the upgrade to vCenter Server 8.0 successfully.
Step 1
Before proceeding any further, I took a backup of vCenter Server 7.0 appliance. Then I had to replace the Machine SSL certificate that was dependent on the root certificate I was removing. Since this was only my homelab I decided to replace the certificate with one signed internally by the VMCA using the Certificate Manager, with the plan of replacing it with a new commercially signed certificate post-upgrade.
After replacing the Machine SSL and confirming vCenter 7.0 was healthy, I was ready to execute the steps outlined below to list, unpublish and delete the certificate with the weak signature algorithm that preventing the upgrade to vCenter Server 8.0.
Step 2
SSH into your vCenter Appliance as root and launch BASH shell, then change directory into “/usr/lib/vmware-vmafd/bin“
cd /usr/lib/vmware-vmafd/binStep 3
Run the following command to list out all certificates in the VECS store, in my case it was TRUSTED_ROOTS store.
./vecs-cli entry list --store TRUSTED_ROOTS --text | lessPage through the list of certificates until you find the one you want to remove. You can see in the screenshot below this certificate matches the subject in the Pre-upgrade check error, and it uses the Signature Algorithm “sha1WithRSAEncryption”
Take note of the Alias, as you will need that in the next step.
Step 4
Execute the following command to backup the certificate to a file. You will need to use the alias of the certificate you noted in the previous step.
./vecs-cli entry getcert --store TRUSTED_ROOTS --alias <Certificate-Alias> --output /tmp/oldsha1.crtStep 5
Unpublish the certificate with the following command, you will be prompted to enter your vCenter SSO credentials to proceed.
./dir-cli trustedcert unpublish --cert /tmp/oldsha1.crtStep 6
You may now delete the certificate using the following command. You will be prompted to verify if you wish to proceed with the operation; type “Y” to continue with the deletion.
./vecs-cli entry delete --store TRUSTED_ROOTS --alias <Certificate-Alias> See the screenshot below; what the steps above should resemble.
Note: In my case, the certificate in question was in the TRUSTED_ROOTS store, but the steps above should allow you to remove any certificate from any store successfully.
And that’s all there is to it! I was able to successfully upgrade to vCenter Server 8.0.
I hope you found this helpful. Feel free to comment if you have any questions.
Follow @nmangraviti