Note: By default, strict certificate validation is not enabled.

To enable strict certificate validation follow these steps to configure VCSA with the certificate for HTTPS / FTPS File-Based Backup or Restore features.

Backup

1. Connect to the vCenter Server Appliance using SSH with root credentials
2. Backup the /etc/applmgmt/appliance/appliance.conf file.

3. Open the /etc/applmgmt/appliance/appliance.conf file:

4. Search for the key validateCerts 
   • if the key exists, change it to "validateCerts": true
   • If the key does not exist, add "validateCerts": true under the backupRestore section.
5. Restart the appliance management service with these commands:

6. Add the CA cert or SSH host key thumb print of the target server depending on the transfer method:
   • For FTPS or HTTPS transfers, copy the CA cert to /etc/applmgmt/appliance/br_servercert.crt on the VCSA.
   • For SCP or SFTP based backup restore, copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA.
   • Entries should be in: IP,FQDN algorithm Key format. You may have both IP and FQDN on the same line or have two line entries one for IP and one for FQDN.
7. Start the backup of vCenter 
   • Reference: * Tech Docs: VMware vSphere - Manually Back up vCenter Server by Using the vCenter Server Management Interface

Restore

1. Begin a restore operation stopping at Stage 1.
2. Open the /etc/applmgmt/appliance/appliance.conf file with a text editor
3. Search for the key validateCerts 
   • if the key exists, change it to "validateCerts": true
   • If the key does not exist, add "validateCerts": true under the backupRestore section.
4. Restart the appliance management service with these commands:

5. Add the CA cert or SSH host key thumb print depending on the transfer method:

• For FTPS or HTTPS transfers, copy the CA cert to /etc/applmgmt/appliance/br_servercert.crt on the VCSA.
• For SCP or SFTP based backup restore, copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA.
  • Copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA by running command: $ ssh -q -p 22 -i /root/.ssh/id_rsa -o UserKnownHostsFile=/root/.ssh/br_temp_known_hosts ftpuser@10.199.67.23 echo ~
  • Now copy this file to the directory as shown : $  cp /root/.ssh/br_temp_known_hosts /etc/applmgmt/appliance/br_known_hosts
  • Remove the temp_known host file :$  rm /root/.ssh/br_temp_known_hosts /

6. Start the Restore operation with the VAMI UI on port 5480: vCenter FQDN or IP:5480 or alternatively  using the command appliancesh 

For more information on VMware Native File Based Backup/Restore:

• Overview of Backup and Restore Options in vCenter Server 6.x/7.0.x/8.0.(318731)
• Considerations and Limitations for File-Based Backup and Restore
• Back up and restore vCenter Server Appliance/vCenter Server 6.x 7.0.x 8.0.x vPostgres database(316471)

Note:

• If a custom certificate it to be used for FTPS site.
• Then it is required to provide the entire chain (root + Intermediate + FTPS_ cert ) and name it "br_servercert.crt" as mentioned in Step 5 of KB article.

Impact/Risks:
Warning:
Before making any changes to certificates, ensure you have taken proper snapshots of your SSO domain. This means that you must shut down all vCenter Servers or PSCs that are in the SSO domain at the same time, then snapshot them, and power them on again.  If you need to revert to one of these snapshots, shut all the nodes down, and revert all nodes to the snapshot. Failure to perform these steps will lead to replication problems across the PSC databases.