How to replace an expired data-encipherment certificate on vCenter Server
search cancel

How to replace an expired data-encipherment certificate on vCenter Server

book

Article ID: 312152

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • This article provides steps to regenerate certificate in "data-encipherment" VECS store on vCenter Server with a new certificate signed by the VMware Certificate Authority (VMCA).
  • Certificate in "data-encipherment" store is used by VPXD Service for Guest OS Customization.


Environment

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x

Resolution

Please follow any of the below methods to replace the Certificate


Scripted method to replace data-encipherment Certificate.

  • Download the attached fix_encipherment_cert.sh script from this article and upload to the /tmp folder on vCenter Server.
    • If the connection to upload to the vCenter by the SCP client is rejected, run the command "chsh -s /bin/bash" to change the shell from an SSH session and retry.
    • You may also create a file using vi command and copy paste the contents of the script (eg. vi /tmp/fix_encipherment_cert.sh)
  • Connect to the vCenter Server with an SSH session
  • Navigate to the /tmp directory:
cd /tmp
  • Run chmod +x fix_encipherment_cert.sh to make the file executable.
  • Run ./fix_encipherment_cert.sh
  • Restart the VPXD service for changes to take effect, otherwise Guest OS Customizations might fail

service-control --stop vpxd
service-control --start vpxd

Important Note:
  • If there are any existing Windows Customization Specifications in the vCenter database, you need to edit the Admin/Domain passwords in those Customization specifications after updating the data-encipherment Certificate. Otherwise, when using those Customization specs to customize a Windows VM, the updated Certificate could cause error saying "The public key in the specification does not match the vCenter public key. You have to reenter the password in order to proceed."
  • You may also create new Windows Customization Specifications to avoid the password trouble in the existing ones.

Sample result:


Manual Method to replace data-encipherment Certificate (appliance)

  • Take backup of old certificate and private key:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --output /tmp/old-data-encipherment.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output /tmp/old-data-encipherment.key

  • Delete the existing certificate from the VECS store:

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete -y --store data-encipherment --alias data-encipherment

  • List the VECS store and confirm the list is Empty:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment

  • Generate a new certificate using the existing private key, and add it to the VECS store
Note: --genCIScert switch in certool will automatically add the new certificate to the Certificate Store

/usr/lib/vmware-vmca/bin/certool --server=<PSC_FQDN> --genCIScert --dataencipherment --privkey=/tmp/old-data-encipherment.key --cert=/tmp/tmp-data-encipherment.crt --Name=data-encipherment --FQDN=<VC_FQDN>


Note:
<PSC_FQDN>
For vCenter Server 6.7 - Replace this value with the FQDN of Platform Service Controller if vCenter is running with External PSC OR use the FQDN of vCenter Server if it is embedded PSC.
For vCenter Server 7.0 - Replace this value with the VC FQDN or with "localhost"

<VC_FQDN>
Replace this value with FQDN/PNID of vCenter Server

  • Verify the new certificate using below command
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment --text | egrep 'Alias|Serial Number:|Subject:|Not Before|Not After'
  • Restart the VPXD service for changes to take effect, otherwise Guest OS Customizations might fail

service-control --stop vpxd
service-control --start vpxd

 

Manual Method to replace data-encipherment Certificate (windows)

  • Take backup of old certificate and private key:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store data-encipherment --alias data-encipherment --output c:\tmp\old-data-encipherment.crt

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output c:\tmp\old-data-encipherment.key

  • Delete the existing certificate from the VECS store:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry delete -y --store data-encipherment --alias data-encipherment

  • List the VECS store and confirm the list is Empty:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store data-encipherment

  • Generate a new certificate using the existing private key, and add it to the VECS store
Note: --genCIScert switch in certool will automatically add the new certificate to the Certificate Store

"%VMWARE_CIS_HOME%"\vmcad\certool --server=<PSC_FQDN> --genCIScert --dataencipherment --privkey=c:\tmp\old-data-encipherment.key --cert=c:\tmp\tmp-data-encipherment.crt --Name=data-encipherment --FQDN=<VC_FQDN>


Note:
<PSC_FQDN>
For vCenter Server 6.7 - Replace this value with the FQDN of Platform Service Controller if vCenter is running with External PSC OR use the FQDN of vCenter Server if it is embedded PSC.
For vCenter Server 7.0 - Replace this value with the VC FQDN or with "localhost"

<VC_FQDN>
Replace this value with FQDN/PNID of vCenter Server

  • Verify the new certificate using below command
"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store data-encipherment --text | egrep 'Alias|Serial Number:|Subject:|Not Before|Not After'
  • Restart the VPXD service for changes to take effect, otherwise Guest OS Customizations might fail

cd C:\Program Files\VMware\vCenter Server\bin
service-control --stop vpxd
service-control --start vpxd


Important Note:
  • If there are any existing Windows Customization Specifications in the vCenter database, you need to edit the Admin/Domain passwords in those Customization specifications after updating the data-encipherment Certificate. Otherwise, when using those Customization specs to customize a Windows VM, the updated Certificate could cause error saying "The public key in the specification does not match the vCenter public key. You have to reenter the password in order to proceed."
  • You may also create new Windows Customization Specifications to avoid the password trouble in the existing ones.
  • The data-encipherment certificate is issued by VMCA root certificate. The validity term end date of new data-encipherment will be equal to the root certificate.
  • The data-encipherment certificate can be updated automatically during VC upgrade/update in below paths:

    Upgrade from 6.7x to 70U3i (70P06) or above 70U3i (70P06) and below 7.0U3o (70P08)
    Upgrade from 7.0x to 8.0GA or above 8.0GA and below 8.0U3

    And in below upgrade/update paths, the certificate will be updated only when certificate is expired or will expire in one year to avoid extra time cost when certificate updating is unnecessary:

    Upgrade from 7.0x to 8.0U3 or above 8.0U3
    Update/patch from 7.0x to 7.0U3o (70P08) or above 7.0U3o (70P08)
    Update/patch from 8.0x to 8.0U2 or above 8.0U2
 
 



Attachments

fix_encipherment_cert get_app