When integrating a Microsoft Certificate Authority (CA) with VMware Cloud Foundation (VCF) Operations / Fleet Management in VCF 9.0, you may hit a frustrating blocker: the “Configure Certificate Authority for VCF Management” wizard fails with:
“Certificate authorities update failed”
This is documented in Broadcom KB 406901 and, importantly, it’s not always a connectivity or permissions problem—it can be a password character parsing issue.
What you’ll see
UI symptom
In the Configure Certificate Authority for VCF Management wizard, the validation/update step fails with:
- Certificate authorities update failed
Log symptom (Fleet Management / VCF Operations appliance)
On the VCF Operations appliance, you’ll typically find a 401 Unauthorized in:
/var/log/vrlcm/vmware_vrlcm.log
Example (as shown in the KB):
Exception occurred while trying to validate Microsoft CAHttpClientErrorException$Unauthorized: 401 Unauthorized401 - Unauthorized: Access is denied due to invalid credentials.
At first glance, this looks like wrong credentials or insufficient permissions. But KB 406901 highlights a very specific trigger.
Root cause (the “gotcha”)
This is a known issue with special characters in the CA service account password, specifically:
#or&
Even if the username/password are correct, the wizard’s CA validation request can fail in a way that surfaces as a 401 Unauthorized.
Resolution / Workaround (what to do now)
1) Reset the service account password
Change the Microsoft CA service account password to a value that does NOT contain:
#&
Use a “safe” password character set (letters + numbers is the simplest) to avoid re-triggering the issue.
2) Re-run (or re-save) the CA configuration in the wizard
Go back to the Configure Certificate Authority for VCF Management wizard, enter the updated credentials, and run the validation/update again.
