How to replace the vSphere 6/7/8.x Solution User certs with VMCA issued certs

search cancel

How to replace the vSphere 6/7/8.x Solution User certs with VMCA issued certs

book

Article ID: 313947

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to regenerate new vSphere 6/7/8.x Solution User certificates from the VMware Certificate Authority (VMCA).

The certificates generated is issued from the current VMCA Root Certificate. You may want to configure VMCA as a Subordinate Certificate Authority of an existing Certificate Authority. For more information on this procedure, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).

Notes:

The vSphere 6/7/8.x Solution Users use SSL Certificates for internal communication and endpoint registration.

If you are using vCenter Server 6 with an embedded Platform Services Controller, there are four Solution User Certificates:
- machine
- vpxd
- vpxd-extension
- vsphere-webclient

On a vCenter server 7 and 8 with an embedded Platform Services Controller, there are 6 Solution User Certificates.

- machine
- vsphere-webclient
- vpxd
- vpxd-extension
- hvc
- wcp

Environment

VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x

Resolution

To replace the vSphere 6/7/8.x Solution User certificates with VMware Certificate Authority issued certificates:

Launch the vSphere 6/7/8.x Certificate Manager.

For vCenter Server 6/7/8.x Appliance:

/usr/lib/vmware-vmca/bin/certificate-manager

For Windows vCenter Server 6.0:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
Select Option 6 (Replace Solution user certificates with VMCA Certificates)
Type Yes (Y) to the confirmation request to proceed.
Provide the [email protected] password when prompted.

Notes:

Further steps may be required to update EAM service after replacing the certificates. For more information, see After replacing the vCenter Server certificates in VMware vSphere 6.0, the ESX Agent Manager solution user fails to log in (318255).

This task replaces the Solution User Certificates with VMCA issued certificates.

If you are running an external Platform Services Controller you will need to restart the services of the external vCenter Server 6.0 and then optionally proceed with replacing the Solution User Certificates of the vCenter Server 6.0.

Additional Information

Use below command to confirm the hostname/ vCenter server PNID that should ideally be used to re-generate certificates.

vCenter server Appliance :

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

Windows based vCenter server :

"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-pnid --server-name localhost

Use below command to confirm the domain-name of the vCenter server.

vCenter server Appliance :

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

Windows based vCenter server :

"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-domain-name --server-name localhost

Feedback

thumb_up Yes

thumb_down No