You are upgrading vCenter and ESXi from 7.x to 8.0 U3. The precheck fails on the ESXi side with a weak certificate signature error. SHA1 certificates somewhere on the hosts. Broadcom has KBs for this. KB 313460 and KB 399843. You follow them. You run the commands. The cert is still there. Or you cannot tell which one to remove.
This post is about why the standard commands fall short, and the openssl method that closes the gap. Tested in a real production environment during an ESXi 7.x to 8.0 U3 upgrade. Not a lab.
The Error
The detection script from KB 313460, called vsphere8_upgrade_certificate_checks.py, returns errors like this on ESXi hosts:
Can Karahaliloglu 