Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x
Article ID: 321380
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides information on how to manually reviewing the Certificate Authority (CA) signed SSL certificates in a vSphere 6 or 7 environment. In vSphere 6 and 7, certificates generated by the VMware Certificate Authority (VMCA) can be monitored through the vSphere Web Client. For more information, see Managing vCenter Certificates.
Note: You will need to manage your own certificate validity if you are using your own Private Key Infrastructure (PKI) in your environment.
This article uses the vecs-cli command to list certificates stored in the VMware Endpoint Certificate Store (VECS) as well as references the individual keystores used by vSphere. Before proceeding, familiarize yourself by reviewing Where vSphere Uses Certificates and vecs-cli Command Reference.
Environment
- VMware vCenter Server 6.x
- VMware vCenter Server 7.x
- VMware vCenter Server 8.x
Resolution
- Reviewing stored certificates for Windows
- Reviewing stored certificates for vCenter Server Appliance
- Exporting stored certificates for Windows
- Exporting stored certificates for vCenter Server Appliance
Reviewing stored certificates for Windows:
Note: These steps are written using the default installation path of
C:\ drive on Windows. If you are using a non-default installation path, these steps need to be modified.- Open an elevated command prompt. If an elevated command prompt is not used, the entry list commands fail with the Windows error "Access is denied."
- Run this command to list all of the Keystores stored within VECS. This command can be run from a vCenter Server or a Platform Services Controller.
This will output one of these lists depending on what node this command is performed on."C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli store listFor External Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machineFor vCenter Server with an external Platform Services Controller or an embedded Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS - To review the individual Keystores, use these examples to list the certificates stored:
"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store MACHINE_SSL_CERT --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store machine --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store vpxd --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store vpxd-extension --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store vsphere-webclient --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store SMS --text | more "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOT_CRLS --text | moreNote: Pressqto leave the session. - Review the certificates displayed.
Notes:
- When reviewing the
MACHINE_SSL_CERTor any of the Solution User stores, take note of the X509v3 extensions, particularly Key Usages, Validity, and Subject Alternate Name. For customers who upgraded to vSphere 6, theMACHINE_SSL_CERTwill now be the certificate previously used for the vCenter Server. - When reviewing the
TRUSTED_ROOTSstore, take note of the X509v3 extensions, particularly the Key Usage Certificate Sign and Validity. If the Certificate Sign Key Usage is missing, the VMCA is unable to sign and provision certificates thus causing installation and certificate regeneration failures. - You might see below Stores as well in some situations depending on vCenter build, use the
vecs-clicommands mentioned above to list the certificates stored in these stores:- BACKUP_STORE
- data-encipherment
- KMS_ENCRYPTION
- When reviewing the
Reviewing stored certificates for vCenter Server Appliance:
- Open an SSH session to the vCenter Server Appliance. Log in as
root. Switch to using aBASHshell session by using this command:shell.set --enabled true shell - Run this command to list all of the Keystores stored within VECS. This command can be run from a vCenter Server or a Platform Services Controller.
This will output one of the following lists depending on what node this command is performed on./usr/lib/vmware-vmafd/bin/vecs-cli store listExternal Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machineFor vCenter Server Appliance with external Platform Services Controller or embedded Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS - In order to review the individual Keystores, use these examples to list the certificates stored:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store machine --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vpxd --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vpxd-extension --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vsphere-webclient --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store SMS --text | less /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOT_CRLS --text | lessNote: Pressqto leave the session. - Review the certificates displayed.
Notes:
- When reviewing the
MACHINE_SSL_CERTor any of the Solution User stores, take note of the X509v3 extensions, particularly Key Usages, Validity, and Subject Alternate Name. For customers who upgraded to vSphere 6, theMACHINE_SSL_CERTwill now be the certificate previously used for the vCenter Server. - When reviewing the
TRUSTED_ROOTSstore, take note of the X509v3 extensions, particularly the Key Usage Certificate Sign and Validity. If the Certificate Sign Key Usage is missing, the VMCA is unable to sign and provision certificates thus causing installation and certificate regeneration failures. - You might see below Stores as well in some situations, depending on the vCenter build. Use the
vecs-clicommands mentioned above to list the certificates stored in these stores:- BACKUP_STORE
- data-encipherment
- KMS_ENCRYPTION
- When reviewing the
Exporting stored certificates for Windows:
Note: These steps are written using the default installation path of
C:\ drive on Windows. If you are using a non-default installation path, these steps need to be modified.- Open an elevated command prompt. If an elevated command prompt is not used, the entry list commands fail with Win Error:
access is denied. - Run these commands to list all of the Keystores stored within VECS. These commands can be run from a vCenter Server or a Platform Services Controller. Create directory
C:\Certificatesbefore proceeding with below steps.
Users have the option to output one of the following store's pair depending on what node this command is performed on."%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store <stored name> --alias <alias name> --output c:\certificates\<certificate usage name>.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store <stored name> --alias <stored name> --output c:\certificates\<certificate usage name>.keyFor External Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machineFor vCenter Server with an external Platform Services Controller or an embedded Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS - To review the individual Keystores, use these examples to list the certificates stored:
"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\machine_ssl.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\machine_ssl.key "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output c:\certificates\vpxd-extension.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output c:\certificates\vpxd-extension.key "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store vpxd --alias vpxd --output c:\certificates\vpxd.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store vpxd --alias vpxd --output c:\certificates\vpxd.key "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store machine --alias machine --output c:\certificates\machine.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store machine --alias machine --output c:\certificates\machine.key "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store vsphere-webclient --alias vsphere-webclient --output c:\certificates\vsphere-webclient.crt "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store vsphere-webclient --alias vsphere-webclient --output c:\certificates\vsphere-webclient.key
Exporting stored certificates for vCenter Server Appliance:
- Open an SSH session to the vCenter Server Appliance. Log in as
root. Switch to using aBASHshell session by using the command:shell.set --enabled true shell - Create the export location directory by running this command
mkdir /certificate. - Run these commands to export the Key and Certificate pairs stored within VECS one by one. These commands can be run from a vCenter Server or a Platform Services Controller.
Users have the option to output one of the following store's pair depending on what node this command is performed on./usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store <stored name> --alias <alias name> --output /certificate/<certificate usage name>.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store <stored name> --alias <stored name> --output /certificate/<certificate usage name>.keyExternal Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machineFor vCenter Server Appliance with external Platform Services Controller or embedded Platform Services Controller
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS - Use these commands as examples for exporting the stored pairs:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificate/Machine_SSL.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificate/Machine_SSL.key /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd --alias vpxd --output /certificate/vpxd.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd --alias vpxd --output /certificate/vpxd.key /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine --alias machine --output /certificate/machine.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store machine --alias machine --output /certificate/machine.key /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vsphere-webclient --alias vsphere-webclient --output /certificate/vsphere-webclient.crt /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vsphere-webclient --alias vsphere-webclient --output /certificate/vsphere-webclient.key
Additional Information
- VMware Skyline Health Diagnostics for vSphere - FAQ (81931)
- "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x (70777)
- "Unable to enumerate and validate the root certificates from the TRUSTED_ROOTS VECS store" pre-upgrade check error while upgrading to VC 6.7 (70902)
- How to replace the vSphere 6.0 Solution User certs with VMCA issued certs (2112281)
For information on renewing VMware certificates, see:
Feedback
Yes
No
Powered by
