Replace certificates on vCenter server using the Fixcerts script
search cancel

Replace certificates on vCenter server using the Fixcerts script

book

Article ID: 322249

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to use the Fixcerts script to replace certificates on the vCenter Server Appliance.

The script is able to replace the following Certificates on vCenter Server:

  • VMCA Root
  • MACHINE SSL
  • Secure Token Signing (STS)
  • Solution Users
  • LookupService or STS_INTERNAL_SSL_CERT
  • data-encipherment
  • SMS
  • Expired Certificates from TRUSTED_ROOTS store
  • Non-CA Certificates from TRUSTED_ROOTS store
  • Update thumbprints for vpxd extensions eam, rbd and imagebuilder

Notes:

  • Fixcerts will replace custom certificates with VCSA self-signed certificates.
  • Fixcerts is not a replacement for the vCenter Server Certificate Management UI or CLI.
  • VMware vCenter Server Appliance (VCSA) is supported. Windows vCenter Server is not supported.
  • If Enhanced Linked Mode (ELM) is in use, take offline snapshots of all vCenter servers in the domain before proceeding.

Environment

  • VMware vCenter Server 6.5.x
  • VMware vCenter Server 6.7.x
  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Resolution

Replace expired certificates:

$ python fixcerts_3_2.py replace --certType expired_only

Replace all certificates:

$ python fixcerts_3_2.py replace --certType all

  1. Before changes are made, certificate validity will be displayed. Enter Y to continue:
  2. After certificates have been updated:

Additional Information

Regenerate vSphere certificates CLI method:

Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA (318767)

Regenerate vSphere certificates GUI method:

Managing vCenter Server Certificates

Fixcerts additional arguments:

Restart services automatically after certificate replacement:
$ python fixcerts_3_2.py replace --certType <cert> --serviceRestart True

Replace MACHINE_SSL_CERT certificate:
$ python fixcerts_3_2.py replace --certType machinessl

Replace STS Signing certificate:
$ python fixcerts_3_2.py replace --certType sts

Replace Solution Users certificates:
$ python fixcerts_3_2.py replace --certType solutionusers

Replace data-encipherment certificate:
$ python fixcerts_3_2.py replace --certType data-encipherment

Replace LookupService certificate if STS_INTERNAL_SSL_CERT store is available:
$ python fixcerts_3_2.py replace --certType lookupservice

Replace expired certificates from SMS store:
$ python fixcerts_3_2.py replace --certType sms

Remove Non-CA certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType non-ca

Remove expired certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType expired

Update thumbprint for vpxd extensions eam, rbd and imagebuilder:
$ python fixcerts_3_2.py update --ExtensionType all
$ python fixcerts_3_2.py update --ExtensionType eam
$ python fixcerts_3_2.py update --ExtensionType rbd
$ python fixcerts_3_2.py update --ExtensionType imagebuilder

Attachments

fixcerts_3_2.py get_app
Powered by Wolken Software