Home / server / Questions / 1108999
In Process
miken32
Asked: 2022-08-25 08:30:32 +0800 CST

Unable to install machine certificate with ECDSA key on vCenter appliance

  • 772

I can't find anything specifically saying they're not supported, and I thought ECDSA keys were old enough technology that it wouldn't be a problem.

However, when creating a cert I'm unable to install it using the vSphere Client. The error message I get after uploading the cert, key, and CA (there are no intermediates) is:

Error occurred while fetching tls: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Integer

Seems to be a generic Java error, and I couldn't find anything specific to VMWare.

Trying it from the command line with /usr/lib/vmware-vmca/bin/certificate-manager the response was even less helpful:

2022-08-23T19:47:27.742Z INFO certificate-manager Create a entry using Key and File generated earlier
2022-08-23T19:47:27.742Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'create', '--store', 'MACHINE_SSL_CERT', '--alias', '__MACHINE_CERT', '--cert', '/root/vcenter.crt', '--key', '/root/vcenter.key']
2022-08-23T19:47:27.756Z INFO certificate-manager Command output :-

2022-08-23T19:47:27.756Z ERROR certificate-manager
2022-08-23T19:47:27.756Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2022-08-23T19:47:27.757Z ERROR certificate-manager {
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "args": [
                ""
            ],
            "localized": "An error occurred while invoking external command : ''"
        },
        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}

I tried pre-installing the CA as a trusted root, and also provided the machine cert as just the cert and also concatenated with the CA. No luck.

I tried with a traditional RSA key and while it also didn't work from the web client (no error, just acted like I didn't do anything) it worked fine from CLI. And my LDAP server has an ECDSA key on its certificate and vCenter connects to it just fine, so it definitely supports them as a client.

So my question is just whether or not ECDSA keys are supported at all? It seems not, but I just started building out a new infrastructure and it's my first time moving away from RSA so I'm doubting myself.

ssl-certificate

0 Answers