SDS and SMS fail when using CA issued certs on VCSA

Today I was deploying the VCSA and thought I’d be smart enough to generate trusted certs for each of the services. Simple, right? There’s even a KB Article for it.

The issue I had when I got to the end of the process was that the “VMware vCenter Storage Monitoring Service” and “VMware vSphere Profile-driven Storage Service” were showing as failed in vCenter Service Status. After confirming the services were running, I noticed that web service was returning a 503 (Service Unavailable) error. After tearing my hair out and trawling through VMware community threads and KB articles, I finally found the problem: The OpenSSL version I used!

Completely my own fault, instead of using the 0.9.8 version that is clearly stated in the KB article, I used the latest version thinking there would be no issue doing this. The difference is that the key is generated in PKCS8 format in newer OpenSSL builds, which is not supported by vCenter components. Having found this out, I simply had to convert the keys to PKCS1 format, following the steps in the KB article in the “Requirements for the certificates used by vCenter Server Appliance” section.

So let this be a warning to you, save yourself some pain and hair loss, and read the article properly the first time! But, know that if you do use a newer version of OpenSSL this is simple enough to fix.