Replacing certificates using the script attached to this article is deprecated. Use the new improved certificate management tool  vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow. 

Use Manage Certificates menu  to check and replace the certificates.

This article explains how to use the Fixcerts script to replace certificates on the vCenter Server Appliance.

The script is able to replace the following Certificates on vCenter Server:

• VMCA Root
• MACHINE SSL
• Secure Token Signing (STS)
• Solution Users
• LookupService or STS_INTERNAL_SSL_CERT
• data-encipherment
• SMS
• Expired Certificates from TRUSTED_ROOTS store
• Non-CA Certificates from TRUSTED_ROOTS store
• Update thumbprints for vpxd extensions eam, rbd and imagebuilder

Notes:

• Fixcerts will replace custom certificates with VCSA self-signed certificates.
• Fixcerts is not a replacement for the vCenter Server Certificate Management UI or CLI.
• VMware vCenter Server Appliance (VCSA) is supported. Windows vCenter Server is not supported.
• If Enhanced Linked Mode (ELM) is in use, take offline snapshots of all vCenter servers in the domain before proceeding

Replacing certificates using the script attached to this article is deprecated.

Use the new improved certificate management tool  vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow. 

Menu option Manage Certificates provides options to check and replace most of the vCenter Server certificates.

Replace Expired Certificates

To replace only expired certificates, run the following command:

python fixcerts_3_2.py replace --certType expired_only

Replace All Certificates

To replace all certificates regardless of expiry, run the following command:

python fixcerts_3_2.py replace --certType all

-------------------------------------------------------------------

Before changes are made, certificate validity will be displayed. Enter Y to continue:

Example output after certificates have been updated:

Check and Regenerate vSphere certificates CLI method:

vCert - Scripted vCenter Expired Certificate Replacement

Note: Previously linked KB article is now deprecated. Please use the new improve certificate management/replacement tool as described in KB article vCert - Scripted vCenter Expired Certificate Replacement

Regenerate vSphere certificates GUI method:

Managing vCenter Server Certificates

Fixcerts additional arguments:

Restart services automatically after certificate replacement:
$ python fixcerts_3_2.py replace --certType <cert> --serviceRestart True

Replace MACHINE_SSL_CERT certificate:
$ python fixcerts_3_2.py replace --certType machinessl

Replace STS Signing certificate:
$ python fixcerts_3_2.py replace --certType sts

Replace Solution Users certificates:
$ python fixcerts_3_2.py replace --certType solutionusers

Replace data-encipherment certificate:
$ python fixcerts_3_2.py replace --certType data-encipherment

Replace LookupService certificate if STS_INTERNAL_SSL_CERT store is available:
$ python fixcerts_3_2.py replace --certType lookupservice

Replace expired certificates from SMS store:
$ python fixcerts_3_2.py replace --certType sms

Remove Non-CA certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType non-ca

Remove expired certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType expired

Update thumbprint for vpxd extensions eam, rbd and imagebuilder:
$ python fixcerts_3_2.py update --ExtensionType all
$ python fixcerts_3_2.py update --ExtensionType eam
$ python fixcerts_3_2.py update --ExtensionType rbd
$ python fixcerts_3_2.py update --ExtensionType imagebuilder