Symptoms

Uemcli commands running on Unity OE 5.5.0 CLI failed with error "Unable to validate the specified certificate. (Error Code:0x1000100)". 13:23:45 service@emcunity02-2 spa:~/user# uemcli /sys/general show Storage system address: 127.0.0.1 Storage system port: 443 HTTPS connection Operation failed. Error code: 0x1000100 Unable to validate the specified certificate. (Error Code:0x1000100) Unity has 3rd party CA signed certificate imported. The inability to execute uemcli commands causes pre-upgrade health checks to fail. -------------------------------------Errors------------------------------------- Platform: Check import session exists The command to get server interfaces failed. * Command: uemcli -noHeader -sslPolicy accept /import/session show -detail * Command output: Operation failed. Error code: 0x1000100 Unable to validate the specified certificate. (Error Code:0x1000100) * Command exit code: 1 Action : Use the command output and exit code to investigate the problem. Run the command manually if needed to investigate further. Escalate this issue through your support organization if needed. Provide this output in the escalation. ERROR_CODE=platform::check_import_session_exists_1|Error|uemcli -noHeader -sslPolicy accept /import/session show -detail|Operation failed. Error code: 0x1000100 Unable to validate the specified certificate. (Error Code:0x1000100) |1 <snip> Uemcli commands do not fail when running from Windows client and linux client with latest Uemcli package installed, or running on Unity CLI before OE 5.5. 

Cause

Unity OE 5.5.0 contains a defect where the certificate validation logic fails to process intermediate certificates (non-leaf nodes) in an SSL/TLS certificate chain. This breaks secure connections, causing uemcli commands to fail. The issue only occurs when the imported CA signed certificate chain contains non-leaf certificate (either intermediate CA certificates or root CA certificate or both). There are 2 methods to confirm if the imported certificate chain contains the CA certificate. Method 1: Use openssl s_client -connect <Unity mgmt ip:443> -showcerts to list the certificates in the certificate chain. 00:42:41 root@VIRT2213Y2XXXX spa:/cores/service/user# openssl s_client -connect 5.6.7.11:443 -showcerts CONNECTED(00000003) Can't use SSL_get_servername depth=2 DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA verify return:1 depth=1 DC = lab, DC = peeps, CN = peeps-WIN2022-CA verify return:1 depth=0 C = IE, ST = Cork, L = Ovens, O = DellEMC, CN = peeps-pod1-unityvsa.peeps.lab verify return:1 --- Certificate chain 0 s:C = IE, ST = Cork, L = Ovens, O = DellEMC, CN = peeps-pod1-unityvsa.peeps.lab i:DC = lab, DC = peeps, CN = peeps-WIN2022-CA -----BEGIN CERTIFICATE----- MIIFijCCBHKgAwIBAgITKAAAAAXARo9q7hUINgAAAAAABTANBgkqhkiG9w0BAQsF ADBHMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcGVlcHMx GTAXBgNVBAMTEHBlZXBzLVdJTjIwMjItQ0EwHhcNMjUwNTIwMjMxNDI3WhcNMjcw NTE5MDYzMDUwWjBmMQswCQYDVQQGEwJJRTENMAsGA1UECBMEQ29yazEOMAwGA1UE BxMFT3ZlbnMxEDAOBgNVBAoTB0RlbGxFTUMxJjAkBgNVBAMTHXBlZXBzLXBvZDEt dW5pdHl2c2EucGVlcHMubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxzKCujxDYeAGNqJxLKEwXXRHWOfr0a3AYFzkvjcJu7ZWTvzB3LWmDcP/5J9F Nk3vgLqHIlo2hYC9yPvmiApFRbc0Lge64G4JbjYiwjI55y6sBOUq+Xmf9FsveZxe W/Cigm1PrTl7iO5WTOzkEJMWY6Zte9TwJNfZd+V+RXxH/+jxeXxZSDBCoc6Ei85+ SvPvggH7iA6pAw+LwhzhvOwwR7y40eA69VZ1ZIrYRVpnT5RHGLvte6FA7LHbCPpc uKIAnmAJB0bwlEzWP1l7ea8vSSvVtk1aoLKBs7Xl/viL5A7JOZT3TFU2GFRETx4f zLeYan1C1ySp2Fo7i7W805vKFQIDAQABo4ICTjCCAkowLgYDVR0RBCcwJYIdcGVl cHMtcG9kMS11bml0eXZzYS5wZWVwcy5sYWKHBAUGBwswHQYDVR0OBBYEFG5A09yG 4WooK7xnC4M6cU2IhO9WMB8GA1UdIwQYMBaAFCRB/qFVh4GOD3cbAAg5PqiGHl1n MIHMBgNVHR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPXBlZXBzLVdJTjIw MjItQ0EsQ049V2luMjAyMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1wZWVwcyxEQz1sYWI/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp c3RyaWJ1dGlvblBvaW50MIHABggrBgEFBQcBAQSBszCBsDCBrQYIKwYBBQUHMAKG gaBsZGFwOi8vL0NOPXBlZXBzLVdJTjIwMjItQ0EsQ049QUlBLENOPVB1YmxpYyUy MEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9 cGVlcHMsREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0 aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIA dgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG SIb3DQEBCwUAA4IBAQBh919cjlWZECs2fkxsim3UUEmwEW9/QC7P/BQ0v8+PU+Hb ZSowLW4rdWjcM9ba1vIpP6Y9vTkmhvkrlTJ4+i7iDUwOKwJN6X+uvZDaR5JTGHM8 SnryIYYvsHwlctxXp5HdimAHKFg3lBg06bx5nr7PvZToqKCPTJG/V/ewRh5tQIsG ZeW6XUhtQm1UU5DOEmYaqKwOEDHuIU8h6+IusNEnHsKnfF0SXzbn9HInziLlFpQH PJE1j/VS6WCCiDaxCBvpYSRAvLfY7o8uRrErBDiZEM1LTE35D8lcL/za+Bs2xddd xWk/d17E0jdTUisdQ0ncdBL3PmYfP5gzf32yGjC0 -----END CERTIFICATE----- 1 s:DC = lab, DC = peeps, CN = peeps-WIN2022-CA i:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA -----BEGIN CERTIFICATE----- MIIFRTCCBC2gAwIBAgITZQAAAAiZqsv55QIu0gAAAAAACDANBgkqhkiG9w0BAQsF ADBIMRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcGVlcHMx GjAYBgNVBAMTEXBlZXBzLVBFRVBTLURDLUNBMB4XDTI1MDUxOTA2MjA1MFoXDTI3 MDUxOTA2MzA1MFowRzETMBEGCgmSJomT8ixkARkWA2xhYjEVMBMGCgmSJomT8ixk ARkWBXBlZXBzMRkwFwYDVQQDExBwZWVwcy1XSU4yMDIyLUNBMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ympraX0vZIyIMtH7gsAmDJvWTBlJwrQDb1u aGn6y8l+v1DozBL64V5gAYZ2VDr6aoixLAB1wcoIvTJVhUHxN4LbBzckTrs6D2q8 VkxAvCkQTUeCABdUpJ0/ByIaCNe5K35itsAsS95Z0hciSgvfjemjW7oXg086H4nP v4uGI6Vvtr2MYkdSYrIrPArZJIPV1HVgQ7D4X2BVsCHTXkmQD4/BCP74mIvnuDJv nk/i0OSBFsLB9c8/kHGGcRLJ9SJ5hFGOduHopZEMQDCEiQym5tuK1efhiEi6/38K gjR5u1AkQT4KxUU/tX2e1NBpUJXoYFkETkcQLlYrZgl+gOuxHQIDAQABo4ICJzCC AiMwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFCRB/qFVh4GOD3cbAAg5PqiG Hl1nMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMA4GA1UdDwEB/wQEAwIBhjAP BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFFSCaAVg4Psk4F1W6qKsSoFube2i MIHOBgNVHR8EgcYwgcMwgcCggb2ggbqGgbdsZGFwOi8vL0NOPXBlZXBzLVBFRVBT LURDLUNBLENOPXBlZXBzLWRjLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2 aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXBlZXBzLERDPWxh Yj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JM RGlzdHJpYnV0aW9uUG9pbnQwgcEGCCsGAQUFBwEBBIG0MIGxMIGuBggrBgEFBQcw AoaBoWxkYXA6Ly8vQ049cGVlcHMtUEVFUFMtREMtQ0EsQ049QUlBLENOPVB1Ymxp YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s REM9cGVlcHMsREM9bGFiP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1j ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQAFLk+6PCFY tHjaKJWcU/mso1toeiiMdPJRlniimfjWjYPoW1A44kSMN1OQapNNWIKDpgbWwIm8 A/eeYI3tFAD+1MmzVXQR1jrqEYN9vYXmGCW3C2I5jG54/1rCCAF9Ba+okFBIp3zf 0M9O5DDMPP0I5LD5vgGisJk2vLbJjeVMAFJOm1I7X6dYtCDWMgd+i5/EgKo5X1Fv nGciDXsUJjZk54Ej39wg8zSp7lUYq8dUZmXZChRo+IGXNaty4IMQWgcXroKIHr8f qJA39PNmjhw8p1cuJBV0REFGg4HK+VzzIGw/imnqxbfCNPzZyMCkopjmaiI7QavI uvtahyigFeMx -----END CERTIFICATE----- 2 s:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA i:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA -----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIQcbdXPmtT24tP3mCqSRnANTANBgkqhkiG9w0BAQsFADBI MRMwEQYKCZImiZPyLGQBGRYDbGFiMRUwEwYKCZImiZPyLGQBGRYFcGVlcHMxGjAY BgNVBAMTEXBlZXBzLVBFRVBTLURDLUNBMB4XDTI1MDUxOTAxMTk1NloXDTMwMDUx OTAxMjkzOVowSDETMBEGCgmSJomT8ixkARkWA2xhYjEVMBMGCgmSJomT8ixkARkW BXBlZXBzMRowGAYDVQQDExFwZWVwcy1QRUVQUy1EQy1DQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPQ3hF4Pdyj366ViYt1vNGCVHQSDyJXRMYtjV1xj +lgUycQ4TSyTzZUIWQ8sX6W6xv0kMpD1d7FFumEHQeJ+3JhXk45FpNdG3qOWsecT CiCfnxV62Vf6hbQ6Hu46tVMme+4ayAR8zXaB8vvtjx3QfafIhpmNRB+5jehaPKwv 1SaWRF5suMN9vEyYsn4jageYSDV0KHVCcvxFjkmPACM8VsMpQLAS/RfgggYMyp3r s5c39Cu3VYgtvVSKzIJ9x59pcMuGzLbAIYxw3ILyQHMLBr0FxN9Ek8T7DgaCm5Oa HiB2KeHhmfB2SekOjclE/pYu+EBe7C9H6gJo8kvtF6RusGUCAwEAAaNRME8wCwYD VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSCaAVg4Psk4F1W 6qKsSoFube2iMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCw 3ZtvPVjhKfatebA5/hCviB4kCgWTc8BR80CVKfoNJb9EoDjK9X65fJMOcgtwBfvj lkVxYSG6BZ6eWOhnmJXL0VzOOALtcxSyoF882slYlVyUxt5WGi6OTa8tq8PCzcSF m/kDCl6BRsIYGUbOap7ziipic4JGBpN6bxg+gvcd+npkdiGXn+QHpD3WqxfQvyhM KwiTvoNZ5Fhjgfcv0gvjTLFSBr1oTjNAkLWy5lU0BUHa4ATbUe6f6dlj+FIt2wQa TjQU8tDqXqI4PT35zu1AdRJaG29CSCjojSe5DZ3h3zH+gHRdNbNiepuF8hiSf0IX UaFgDdJFwfcudiOeqv11 -----END CERTIFICATE----- In above case, there are 3 certificates in the certificate chain. The first certificate is the server/leaf certificate, the second one is the intermedate CA certificate, and the last one is the root CA certificate. Certificate chain 0 s:C = IE, ST = Cork, L = Ovens, O = DellEMC, CN = peeps-pod1-unityvsa.peeps.lab <-- Server certificate i:DC = lab, DC = peeps, CN = peeps-WIN2022-CA <-- signed by intermediate CA server peeps-WIN2022-CA <snip> 1 s:DC = lab, DC = peeps, CN = peeps-WIN2022-CA <-- Intermediate CA certificate i:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA <-- Signed by root CA certificate <snip> 2 s:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA <-- Root CA certificate i:DC = lab, DC = peeps, CN = peeps-PEEPS-DC-CA <-- Signed by root CA certificate itself Method 2: If you have the certificate file, run openssl x509 in <certificate file> -text -noout | grep -E "Issuer:|Subject:" on the certficate file to list the certificates. 02:28:55 root@VIRT2213Y2XXXX spa:/cores/service/user# openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -text -noout | grep -E "Issuer:|Subject:" Issuer: DC=lab, DC=peeps, CN=peeps-WIN2022-CA Subject: C=IE, ST=Cork, L=Ovens, O=DellEMC, CN=peeps-pod1-unityvsa.peeps.lab Issuer: DC=lab, DC=peeps, CN=peeps-PEEPS-DC-CA Subject: DC=lab, DC=peeps, CN=peeps-WIN2022-CA Issuer: DC=lab, DC=peeps, CN=peeps-PEEPS-DC-CA Subject: DC=lab, DC=peeps, CN=peeps-PEEPS-DC-CA

Resolution

Permanent fix: Issue is fixed in the OE 5.5.1 which was released on Jul 31, 2025. https://dl.dell.com/downloads/0003Y_Dell-Unity-OE-(Operating-Environment)5.5.1.0.5.025-Upgrade-file.gpg Workaround: Follow KB000021122 to import a new certificate that only contains the server/leaf certificate.There is another code issue with the svc_custom_cert script in 5.5.0 that would cause the new certificate fail to be imported. Please follow KB000308965 to workaround the issue, the permanent fix of this issue is also included in 5.5.1. Dell Unity: svc_custom_cert: ERROR: Could not determine private key strength | Dell US Please note: If the Unity certificate signed by an intermediate CA and workaround is applied, customer will need to make sure the intermedaite CA certificates are installed on the client otherwise client won't be able to validate the server certificate.

Support Cases