VECS has been designed to use subject key identifier to uniquely identify certificates. Purpose of this KB is to educate customers regarding the usage of VC certificates in case of any change in platform service controller and required to retain the name for the new PSC node.

Symptoms:
VASA failed to register as client certificate not signed

VMware vCenter Server 6.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x

While decommissioning a Platform service controller it is required to regenerate all the certificates issued by that PSC before pointing to a new instance. Failing to do so will cause inconsistencies within vCenter as well as for various solutions/extensions which are dependent on vCenter. Inconsistency persists even if the customer use the same name for new PSC node.

To resolve this issue:

1. To identify PSCs which are active. Find the vmca root cert of that PSC, Run the command:

2. Identify the root certs which belong to decommissioned PSC present in VECS, see Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x.
3. Use the new or replacement PSC to reissue all the certs generated by the decommissioned PSC.

Note: for more information, see Managing Certificates and Services with CLI Command.

4. Un-publish the roots which are from decommissioned PSC using dir-cli, see dir-cli Command Reference and Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

5. Restart the services on VC, see Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x & above services and How to Stop, Start or Restart vCenter Server 6.x Services.