Select Page

Unable to Register SSO on External PSC with VMware NSX

I was in progress of setting up VMware NSX for a series that will be released soon and I experienced an issue with the appliance registering SSO. The error message I was receiving was the one below –

“NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)”

I managed to find a VMware KB about this issue ( Basically this was due to the fact that I had changed my default certificates to Internal CA Certificates but the PSC had not updated them correctly. This was an issue from vSphere 6.0 and Is resolved in vCenter 6.0 U1B. If however you experience this issue you can fix this using the below steps –

Note – These are the steps for an External Platform Services Controller on Windows, there are alternative steps for an Embedded PSC ( or alternatively the PSC appliance.

You will need to initially obtain the sslTrust anchor stored on the PSC, this can be obtained by running this command via command prompt (cmd)

“%VMWARE_PYTHON_BIN%” “%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\” list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2> NULL

sslTrust Anchor - Unable to Register SSO on External PSC with VMware NSX

“%VMWARE_OPENSSL_BIN%” s_client -connect localhost:443

PSC Current Certificate - Unable to Register SSO on External PSC with VMware NSX

As you can see in the screenshots the service is using different certificates hence the reasoning behind this issue. To resolve this we need to replace the sslTrust certificate.

Create a folder to store your old certificates, for example


Open the SSO MOB using the following URL – https://PSC.FQDN.LOCAL/lookupservice/mob?moid=ServiceRegistration&method=List

Login using your [email protected] credentials.

Clear the box and Paste and Select Invoke Method.


VMware MOB filterCriteria - Unable to Register SSO on External PSC with VMware NSX

This will present you with a table of data. We will need to search using Ctrl+F and pasting in the following line to obtain the relevant information –


You will need to copy the data from the sslTrust field for example mine starts with MIIEIDCCAwigAwIBAgIJAO7tLeilCyejMA0GCSqGSIb3D this will be a very long value. You will need to paste this in to a Notepad document and format the file correctly. You will need to press enter on every 64th character. You will also need to add —–BEGIN CERTIFICATE—– at the start of the certificate and —–END CERTIFICATE—– at the end.

For example (Pasted from the VMware KB)

For Example –






















Save this file as old_machine.crt

We now need to obtain the thumbprint of the cert by running the below command –

“%VMWARE_OPENSSL_BIN%” x509 -in c:\certificates\old_machine.crt -noout -sha1 -fingerprint

You will see the following –

SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

This will be different due to the thumbprint of your certificate.

You now need to obtain the current certificate and export it to a file. You can do that by using these commands –

“%VMWARE_CIS_HOME%”\vmafdd\vecs-cli entry list –store MACHINE_SSL_CERT –text |more

“%VMWARE_CIS_HOME%”\vmafdd\vecs-cli entry getcert –store MACHINE_SSL_CERT –alias __MACHINE_CERT –output c:\Certificates\new_machine.crt

You now need to run the script to replace the certificates.

You will need to replace the fingerprint below with the old certificate fingerprint that was obtained earlier.

“%VMWARE_PYTHON_BIN%” –url https://PSC.FQDN.local/lookupservice/sdk –fingerprint E6:09:33:F8:62:0E:42:E4:E6:C9:5F:77:DD:74:51:93:D4:D5:5B:1C –certfile c:\certificates\new_machine.crt –user [email protected] –password Password1

This will take a long time to complete but once this is finished you will see the below.

PSC Services Updated - Unable to Register SSO on External PSC with VMware NSX

You can verify the certificates now match by repeating these steps –

“%VMWARE_PYTHON_BIN%” “%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\” list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2> NULL

“%VMWARE_OPENSSL_BIN%” s_client -connect localhost:443

If this works correctly you will now see that your sslTrust values will now be matching. You will now be able to register SSO with VMware NSX!

You can find more details here –

Thanks for reading!

Pin It on Pinterest

Share This