Replacing a vSphere 7.x Machine SSL certificate with a Custom Certificate Authority and Integration with NSX-T

After replacing the certificate of vCenter with Custom Certificates (which includes certificate(leaf) + sub CA + root CA) then adding compute manager on NSX-T gives error " Certificate chain of Compute Manager is invalid. Please check Issuer and Subject in the chain. (Error Code: 90204)" and sync status between VC and NSX-T manager is down

It is because certificate chain is invalid and Certificate chain is being duplicated in the vCenter. 

Resolution:

Correct the order you need to follow the following chain

     

      

For Machine SSL Certificate Field:

It must include Certificate + subordinate CA + Root CA like this

-----BEGIN CERTIFICATE-----MIIFrDCCBJSgAwIBAgITZgAAADAs1zlIBj9VFgABAAAAMDANBgkqhkiG9w0BAQsFADBjMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIZnB0Y2xvdWQxFjAUBgoJkiaJk/IsZAEZFgZpbnNpZGUxGjAYBgNVBAMTEUZQVENMT1VELVNVQi1DQTAxMB4XDTIxMDIyNDAyNTQyNVoXDTI0MDIyNDAyNTQyNVowKzEpMCcGA1UEAxMgc2duMDltMDF2YzAxLmluc2lkZS5mcHRjbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC30+cwT0iA5R8SyQ/1QSVq7Ox7M/Pi+/cgF8RJg5vMrTsl9Wz16vBi0fCaLTZLffdHQkgGRqeFBgoHXPSfuBsbhy1tLWGzpl3z6mELMsE/rndt8BEoB921bFNBBdBu5YyKHMqoDjkCtaVWCsIl1e3ewnIc0SyC0dLHorfHqDYRAM3hQSat2w+y9fb2Q149zvA0njdhsyuOGren3dDfZPCUMeOjYuEHI0DV0dmqXhEe/Of8NzKRuaUOdhRdC/qIqOOQJGsX8Cq9iN64JjjyeBaKTiwEnXuFJgMCuHzbdi38CgrnCCsJRv/tmctc3S3XQn/NuUL/K81PHR1NApvVtnYVAgMBAAGjggKPMIICizA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiDupk/gtTkDILZgxOHja9rg+aoe0aB7+1Lg8TfQQIBZAIBDDAOBgNVHQ8BAf8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrlj6mWGltvVXSQ8l0RIYo8Xu7Z8wOQYDVR0RBDIwMIIgc2duMDltMDF2YzAxLmluc2lkZS5mcHRjbG91ZC5jb22CDHNnbjA5bTAxdmMwMTAfBgNVHSMEGDAWgBRV/q4l4hSs5MCEeotDPeZ2iImvSjCB3wYDVR0fBIHXMIHUMIHRoIHOoIHL

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----MIIEdTCCA12gAwIBAgITKgAAAAPu2eZAS/c1bQAAAAAAAzANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBGUFRDTE9VRC1ST09ULUNBMB4XDTIxMDIxODA1MTA1NFoXDTMxMDIxODA1MjA1NFowYzETMBEGCgmSJomT8ixkARkWA2NvbTEYMBYGCgmSJomT8ixkARkWCGZwdGNsb3VkMRYwFAYKCZImiZPyLGQBGRYGaW5zaWRlMRowGAYDVQQDExFGUFRDTE9VRC1TVUItQ0EwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuPUcreUs6cJF9dR57pecCcmu9ZKNaFppoVdNJXfO5GJnJkwdqiEO8n9upTLvQblcdLDF9U0rSnbC+9/Q2V604xIm1+ICKfxI9yl3maAEgoVDbYohjswyFD5cFnq7elQnjCyd+zRWCbs4N4Wl8+D2IiOdjrcfjo1dRngRR+sBaaAiLJ5701Wh/h2EqU9+4bTL8yqDEeYR/X3c6D9dIUd5Oj/s9gowrsyDPH1Pe9ETbuRTWzjkIaPTDGzdmZG6PVavSmOZZIn8Id7ThwuEuk+GLltzKqtcH9H3TEktHx5wChFa7WFEPIrMEJOy9Yzh9OVAgo1DQur5sFh2f5kdaM6DkCAwEdjksfhWgwggFkMBAGCSsGAQQBgjcVAQQDAgEBMCMGCSsGAQQBgjcVAgQWBBRj0yJzChVv4RuYz/jngOQWLsJbMjAdBgNVHQ4EFgQUVf6uJeIUrOTAhHqLQz3mdoiJr0owGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----MIIDETCCAfmgAwIBAgIQfTuqR1JsgrtKn7hv5f1/XTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBGUFRDTE9VRC1ST09ULUNBMB4XDTIxMDIxNTE0MTkwM1oXDTQxMDIxNTE0MjkwM1owGzEZMBcGA1UEAxMQRlBUQ0xPVUQtUk9PVC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANr0Uz6QgB6BwLsR1TAUoFkEydnVmH+kaLjTiS+1xLy8kAeMOrS3Lir0dhxNHPr5WItW4QcCt95ZfItegW1HY70jsNFVrnPfFWArYc62GbTSfmsQH4hdlTw/2HNzITl3y6i8N09NZYoMWwc/Sbb60Hpc4/RqMeA92XCrto2/gmQvAtdCVr86PvQ/DUFU1/94kapD7qWx6aPPHtUI9P5CnHmQlHVZKGAmxiVL9hK4mWGbcEiY/Cx3T3u9TZaOjrmAf55PBP4DtLYIFs/v0CvnSwRTyIlBEQ/sv/HVASbFISxDlKdFdPPfdslkjldsBvmEQGSsI0Zo4w9JrqqaE4Ndpt0CAwEAAaNR

-----END CERTIFICATE-----

For Chain of trusted root Certificates Field:

It must include Root CA only like this.

-----BEGIN CERTIFICATE-----

MIIDETCCAfmgAwIBAgIQfTuqR1JsgrtKn7hv5f1/XTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBGUFRDTE9VRC1ST09ULUNBMB4XDTIxMDIxNTE0MTkwM1oXDTQxMDIxNTE0MjkwM1owGzEZMBcGA1UEAxMQRlBUQ0xPVUQtUk9PVC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANr0Uz6QgB6BwLsR1TAUoFkEydnVmH+kaLjTiS+1xLy8kAeMOrS3Lir0dhxNHPr5WItW4QcCt95ZfItegW1HY70jsNFVrnPfFWArYc62GbTSfmsQH4hdlTw/2HNzITl3y6i8N09NZYoMWwc/Sbb60Hpc4/RqMeA92XCrto2/gmQvAtdCVr86PvQ/DUFU1/94kapD7qWx6aPPHtUI9P5CnHmQlHVZKGAmxiVL9hK4mWGbcEiY/Cx3T3u9TZaOjrmAf55PBP4DtLYIFs/v0CvnSwRTyIlBEQ/sv/HVASbFISxDlKdFdPPfdslkjldsBvmEQGSsI0Zo4w9JrqqaE4Ndpt0CAwEAAaNR

-----END CERTIFICATE-----

Note: If it includes root + Subordinate CA it will be a duplicated entry for vCenter and NSX-T manager will not be able to read the thumbprint from vCenter. Due to security enhancement NSX won't let vCenter to be connected due to chain invalid. However VC might show all green. If it includes root + Subordinate CA when we will fetch the certificates using openssl command for show certs we would see a duplicated certificate of sub CA and because of that thumbprint would be invalid. The command used to check certificate with openssl is below:

openssl s_client -showcerts -connect <VC-IP>:443

It should show valid certificate chain

For Private key:

-----BEGIN PRIVATE KEY-----

MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC30+cwT0iA5R8SyQ/1QSVq7Ox7M/Pi+/cgF8RJg5vMrTsl9Wz16vBi0fCaLTZLffdHQkgGRqeFBgoHXPSfuBsbhy1tLWGzpl3z6mELMsE/rndt8BEoB921bFNBBdBu5YyKHMqoDjkCtaVWCsIl1e3ewnIc0SyC0dLHorfHqDYRAM3hQSat2w+y9fb2Q149zvA0nyuOGren3dDfZPCUMeOjYuEHI0DV0dmqoSmkXhEe/Of8NzKRuaUOdhRdC/qIqOOQJGsX8Cq9iN64JjjyeBaKTiwEnXuFJgMCuHzbdi38CgrnCCsJRv/t4wOm4QE5JnbHc5Y+/wMFjdkMqXl9A0/SwYIa+snAJZ3KqRnBo5UGkdcxGeXAryL0einfzof8JSLdWDO8f6LNb3YLvKNv4/Hk0f38JrEIjANs9aNXoFU04n3ierTkQULY9v97G5kQKjk6JM1h05/jwPfxzV9OkVRb+EhPBMrltgvdZnIgz1WwKD+fUCgYEA1rVfFPeAI1W58Q3c22CeejTLaZGiD4kJulOuAQZX4T11vzteaV3nrnnLR/v1twYPYrk6gxUVIHt4n7M4

-----END PRIVATE KEY-----

Once the Certificates are replaced then go to NSX-T Manager and re-register VC in the compute managers

Click on Save and you will see Registration status is Registered and Connection Status is Up