Preface
This has been occurring to me a lot lately. vCenter gets deployed and configured with a hostname. You are likely not giving it much thought until later when a particular situation arises. When it’s time to upload Transport Layer Security (TLS) certificates and you receive the following warning, “Error occurred while fetching tls: Invalid input certifcate : The Subject of the provided certificate does not contain the correct CN value”
I find that this is caused by the case-sensitive nature of the VMware vCenter Server Appliance (VCSA) and the Common Name (CN) in the certificate. When vCenter is deployed, if a lowercase hostname is provided (my personal preference, now), i.e. vcsa.aaronrombaut.com, the request for the certificate, the Certificate Signing Request (CSR), should also use the lowercase fully qualified domain name (FQDN). The idea is that the case needs to match, lowercase host name needs to match a lowercase CN and the opposite applies as well. An uppercase host name needs to match an uppercase CN.
The Fix
It’s ok if this situation occurs and you have two choices, really. If this is a brand new deployment, it may be easier to redeploy the VCSA and pay attention to the step when the host name is being applied. If this doesn’t apply and you just want to fix it, then follow along…
Connect to the VCSA. Ensure SSH is enabled on the VCSA. You can enable this from the Virtual Appliance Management Interface (VAMI) (fqdn:5480) or by logging in to the appliance’s console.
Check the current value of the Primary Network Identifier (PNID) with the following command.
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostSet the pnid value to the same name, but change the case with the following command, obviously changing the case as appropriate.
/usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid --server-name localhost --pnid <pnid>Reboot the VCSA by typing the following.
rebootGet up and take a short break…
To verify the change, log into vSphere Client > Menu > Inventory. The VCSA name should now match the case you set on the command line. At this point, it should be safe to apply the TLS certificates without receiving a warning.
I have found that on newer vCenters, one more step needs to take place. This may be a new necessary step and it may even be safe to just apply, but I don’t have the time to install x versions of VCSA and test.
Log on to the vSphere Client and navigate to Home > Inventory > <choose a vCenter> > Configure > Settings > General > Edit > Runtime settings.
Change the vCenter Server Name and then click Save. Reboot the appliance.
You can now definitely install the TLS certificates!