This issue occurs when an incorrect signing request (CSR) is generated by the Certificate Manager Utility for the root signing certificate in vCenter Server 6.0 Update 2.
Notes:
- In 6.0 Update 1b and earlier, the CSR is generated by copying the attributes from the default existing root cert of the VMCA which already has the required extensions on the certificate.
- In 6.0 Update 2, the CSR is generated using a *.cfg file to specify company data as part of the Subject of the VMCA Root.
This change has not considered the required fields of VMCA Signing Certificate, which results in the CSR not including the Key Usage and CA:True values.
Note: For more information on key usage go to the additional information section below.