Symptoms
Replacing the VMware Identity Manager certificate with VMware Aria Suite Lifecycle (formerly vRealize Suite Lifecycle Manager) 8.x fails with:
Error Code: LCMVIDM72240
Failed to apply certificate on VMware Identity Manager. Refer to vRSLCM logs for further details.
Failed to apply certificate on the host <Identity Manager FQDN>. Exception message: certificate_unknown(46)
The /var/log/vrlcm/vmware_vrlcm.log file has the following exceptions:
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkAlgorithmConstraints(ImportX509TrustManager_5.java:107)
at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkAdditionalTrust(ImportX509TrustManager_5.java:87)
at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkServerTrusted(ImportX509TrustManager_5.java:69)
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:126)
... 32 more
Caused by: java.security.cert.CertPathValidatorException: Certificate doesn't support 'serverAuth' ExtendedKeyUsage
Cause
The error occurs when the certificate is generated with incorrect or missing Extended Key Usage. In this instance missing the 'serverAuth' extension.
Resolution
To resolve the issue regenerate the VMware Identity Manager certificate with serverAuth enabled in Extended Key Usage.
