• When replacing Machine SSL or Solution user certificate with custom certificate, you see a message similar to:
  
  error message:
  <Certificate location>: C = XX, ST = XXXX, L = XXX, O = XX XX, OU = XXX, CN = machine_Name
  error 20 at 0 depth lookup:unable to get local issuer certificate
   
• Error message can be also seen in certificate-manager.log file.
  
  In appliance:
  
  /var/log/vmware/vmcad/certificate-manager.log
  
  In Windows:
  
  C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log

This error is triggered by OpenSSL used by certificate-manager tool.

This issue occurs due to the certificate chain provided while replacing certificate does not have complete chain.

To resolve "error 20 at 0 depth lookup:unable to get local issuer certificate" when replacing Machine SSL or Solution user certificate with custom certificate follow the steps below:

1. Edit component, intermediate and root certificate files in notepad or vi editor.
2. Copy the content from intermediate certificate and root certificate.
   Note: Certificate file will have component > Intermediate > root.
3. Open the component file, paste the content copied in the step #2 at the end of component certificate file and click Save.
4. Create a new file and add the content of the intermediate certificate and root certificate file and click Save.     Intermediate > root.
5. When certificate-manager tool asks for certificate which you are trying to replace, use the component certificate saved in step #3, which is component > Intermediate > root chain.
6. When certificate-manager tool asks for Root Certificate, use the Root certificates saved in step #4, which is Intermediate > root chain.
7. Replace Machine SSL or Solution user certificate. For more information, see Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate.