When following Dell KB article 77894: VxRail: How to manually import vCenter SSL certificate on VxRail Manager
to manually import vCenter server certificate, it shows error when converting the .r files:
#openssl crl -outform der -in /tmp/certificates/certs/lin/e1f7261b.r1 -out newcrltfile1
unable to load CRL
#cert_util_init.py script failed with error:
Failed to find a matching root CA Certificate/CRL set that could verify vCenter certificate
Failed to installed vCenter certificate with Chrome, error:
The Private Key for this Client Certificate is missing or invalid OR Invalid or corrupt file
vCenter root Certificate CRL file is empty or corrupted.
How to check if this is the issue:
- Download and extract the latest vCenter root certificate (https://kb.vmware.com/s/article/2108294).
- Check if any CRL file is empty or corrupted. (screenshot below)
- SSH to PSC and vCenter with root credential.
- Change to directory /etc/ssl/certs.
- Check if any .r file is 0 bytes or corrupted.
To resolve this issue:
- If any empty or corrupted CRL file is found on the PSC and or vCenter, take OFFLINE snapshots for PSC and vCenter before proceeding further.
- Follow instructions from VMware KB article 59555 to run fix_crl.sh script (https://kb.vmware.com/s/article/59555). The script should be performed on both VCSA and PSC.
- On vCenter, go to folder /etc/vmware-vpx/docRoot/certs.
- If the empty (0 bytes) or corrupted CRL files still exist, DELETE the file from this directory.
- Reboot PSC and vCenter after fix_crl.sh.
- Reimport vCenter root certificate to VxRail manager.