How to replace the vCenter Server Solution User certificates with VMCA issued certificate

Products

VMware vCenter Server

Issue/Introduction

This article explains how to regenerate new vSphere 6/7/8.x Solution User certificates from the VMware Certificate Authority (VMCA).
The certificates generated is issued from the current VMCA Root Certificate. You may want to configure VMCA as a Subordinate Certificate Authority of an existing Certificate Authority. For more information on this procedure, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).

Notes:

The vSphere 6/7/8.x Solution Users use SSL Certificates for internal communication and endpoint registration.

If you are using vCenter Server 6 with an embedded Platform Services Controller, there are four Solution User Certificates:
- machine
- vpxd
- vpxd-extension
- vsphere-webclient

On a vCenter server 7 and 8 with an embedded Platform Services Controller, there are 6 Solution User Certificates.

- machine
- vsphere-webclient
- vpxd
- vpxd-extension
- hvc
- wcp

Environment

VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x

Resolution

Note: A new improved certificate management/replace tool vCert - Scripted vCenter Expired Certificate Replacement is available. You are encouraged to use vCert to manage all the certificates and related workflows including the workflow of replacing Solution User Certificates.

Using vCert Tool to manage and replace Solution User Certificates on vCenter Server Appliance

Download and install vCert on the vCenter Server Appliance as described in Installation Section.
Viewing details for the current Solution User certificates
- Use Option 2 - Solution User certificates from the menu 2: View Certificate Info
Replacing Solution User certificates.
- Use the Option 2 - Solution User certificates from the menu 3: Manage Certificates.
- This option replaces the Solution User certificates in VECS and updates the Service Principal entries in VMware Directory. The vpxd-extension thumbprints are updated in vCenter database. A VMCA-signed certificate or custom CA-signed certificate can be used.

Using Certificate Manager tool to replace Solution User certificates (Deprecated workflow)

To replace the vSphere 6/7/8.x Solution User certificates with VMware Certificate Authority issued certificates:

NOTE: Ensure to take a no memory snapshot of the vCenter Server if it is standalone or powered off snapshots off all vCenter Servers if they are in Enhanced Linked Mode (ELM)

Launch the vSphere 6/7/8.x Certificate Manager by executing the following command in SSH of the vCenter Server,

For vCenter Server 6/7/8.x Appliance:

/usr/lib/vmware-vmca/bin/certificate-manager

For Windows vCenter Server 6.0:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
Select Option 6 (Replace Solution user certificates with VMCA Certificates)
Type Yes (Y) to the confirmation request to proceed.
Provide the administrator@vsphere.local password when prompted.

Notes:

Further steps may be required to update EAM service after replacing the certificates. For more information, see After replacing the vCenter Server certificates in VMware vSphere 6.0, the ESX Agent Manager solution user fails to log in (318255).

This task replaces the Solution User Certificates with VMCA issued certificates.

If you are running an external Platform Services Controller you will need to restart the services of the external vCenter Server 6.0 and then optionally proceed with replacing the Solution User Certificates of the vCenter Server 6.0.

Additional Information

Use below command to confirm the hostname/ vCenter server PNID that should ideally be used to re-generate certificates.

vCenter server Appliance :

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

Windows based vCenter server :

"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-pnid --server-name localhost

2. Use below command to confirm the domain-name of the vCenter server.

vCenter server Appliance :

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

Windows based vCenter server :

"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-domain-name --server-name localhost