To solve the issue follow the steps given below:
- Obtain the current rootCA cert: /usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/cacert.crt
- Save this as cacert.crt on the appliance at your desired location; /tmp/ is provided in the above command as an example.
- Replace the sts_internal_ssl_cert with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/machine.crt --key ~/machine.key
4. Create the new sts cert. The document
Generate a New STS Signing Certificate on the Appliance assumes that the cert at
/etc/vmware-sso/keys/ssoserverRoot.crt is the same as the
rootca. But when you are on an upgraded as opposed to a newly deployed vCenter Server Appliance, they can be different. So, when going through
Generate a New STS Signing Certificate on the Appliance again to create the new sts cert, replace
/etc/vmware-sso/keys/ssoserverRoot.crt with
<path>/cacert.crt wherever you see it in the opnssl commands
5. Now when importing the
root-trust.jks as per
Refresh the Security Token Service Certificate it should succeed.
6. Restart all vCenter and PSC services
7. Delete the old sts signing certs from the web client