How to replace the vSphere 6/7/8.x Solution User certificates with VMCA issued certificate
Article ID: 313947
Updated On:
Products
VMware vCenter Server
VMware vCenter Server 7.0
VMware vCenter Server 6.0
VMware vCenter Server 8.0
Issue/Introduction
- This article explains how to regenerate new vSphere 6/7/8.x Solution User certificates from the VMware Certificate Authority (VMCA).
- The certificates generated is issued from the current VMCA Root Certificate. You may want to configure VMCA as a Subordinate Certificate Authority of an existing Certificate Authority. For more information on this procedure, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).
Notes:
- The vSphere 6/7/8.x Solution Users use SSL Certificates for internal communication and endpoint registration.
- If you are using vCenter Server 6 with an embedded Platform Services Controller, there are four Solution User Certificates:
- machine
- vpxd
- vpxd-extension
- vsphere-webclient
- On a vCenter server 7 and 8 with an embedded Platform Services Controller, there are 6 Solution User Certificates.
-
- machine
- vsphere-webclient
- vpxd
- vpxd-extension
- hvc
- wcp
Environment
VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x
Resolution
To replace the vSphere 6/7/8.x Solution User certificates with VMware Certificate Authority issued certificates:
NOTE: Ensure to take a no memory snapshot of the vCenter Server if it is standalone or powered off snapshots off all vCenter Servers if they are in Enhanced Linked Mode (ELM)
- Launch the vSphere 6/7/8.x Certificate Manager by executing the following command in SSH of the vCenter Server,
For vCenter Server 6/7/8.x Appliance:/usr/lib/vmware-vmca/bin/certificate-manager
For Windows vCenter Server 6.0:C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
- Select Option 6 (Replace Solution user certificates with VMCA Certificates)
- Type Yes (Y) to the confirmation request to proceed.
- Provide the [email protected] password when prompted.
Notes:
- Further steps may be required to update EAM service after replacing the certificates. For more information, see After replacing the vCenter Server certificates in VMware vSphere 6.0, the ESX Agent Manager solution user fails to log in (318255).
- This task replaces the Solution User Certificates with VMCA issued certificates.
- If you are running an external Platform Services Controller you will need to restart the services of the external vCenter Server 6.0 and then optionally proceed with replacing the Solution User Certificates of the vCenter Server 6.0.
Additional Information
- Use below command to confirm the hostname/ vCenter server PNID that should ideally be used to re-generate certificates.
vCenter server Appliance :
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostWindows based vCenter server :
"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-pnid --server-name localhost
2. Use below command to confirm the domain-name of the vCenter server.
vCenter server Appliance :
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhostWindows based vCenter server :
"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-domain-name --server-name localhostFeedback
Yes
No
Powered by
