Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0
Article ID: 341767
Updated On:
Products
VMware vCenter Server
Issue/Introduction
In VMware vSphere 6.0, the Lookup Service is not directly exposed on port 7444. The registration and communication to the Lookup Service should occur through the HTTP Reverse Proxy on port 443.
If you are running a mixed environment with a Platform Service Controller 6.0 and VMware vCenter Server 5.5, you need to manually replace the Lookup Service SSL Certificate if it expires. This would have been the Single Sign-On certificate in VMware vSphere 5.5.
This article provides the necessary steps on generating a new certificate using the VMware Certificate Authority and replacing the Lookup Service certificate.
If you are running a mixed environment with a Platform Service Controller 6.0 and VMware vCenter Server 5.5, you need to manually replace the Lookup Service SSL Certificate if it expires. This would have been the Single Sign-On certificate in VMware vSphere 5.5.
This article provides the necessary steps on generating a new certificate using the VMware Certificate Authority and replacing the Lookup Service certificate.
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.0.x
Resolution
VMware vCenter Server Appliance 6.0
This process is for generating and replacing the Lookup Service SSL certificate for the VMware vCenter Server Appliance 6.0.For more information on generating and replacing the Lookup Service SSL certificates for VMware vCenter Server 6.0 installed on a Microsoft Windows Server, see the VMware vCenter Server 6.0 installed on a Microsoft Windows Server section within this article.
To generate and replace the Lookup Service SSL certificate:
- Connect to VMware vCenter Server Appliance 6.0 as root through a console or SSH session.
- Run this command to create a temporary directory to store files during generation:
mkdir /ssl
- Using a text editor, open the /usr/lib/vmware-vmca/share/config/certool.cfg file and provide the custom details pertaining to your environment and save the file.
Note: It is important to ensure that hostname is correct. The IP address value is optional.
- Run this command to generate a new private and public key for the Lookup Service:
/usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/ssl/ssoserver.key --pubkey=/ssl/ssoserver.pub
- Run this command to generate a new certificate for the Lookup Service using the previously generated private key and certool.cfg file:
/usr/lib/vmware-vmca/bin/certool --gencert --cert=/ssl/ssoserver.cer --privkey=/ssl/ssoserver.key --config=/usr/lib/vmware-vmca/share/config/certool.cfg
Note: If you are using External CA as your certificate authority: run /usr/lib/vmware-vmca/bin/certool --initcsr --privkey=/ssl/ssoserver.key --pubkey=/ssl/ssoserver.pub --csrfile=/ssl/ssoserver.csr --config=/usr/lib/vmware-vmca/share/config/certool.cfg and get the generated ssoserver.csr signed by your Enterprise CA.
- Run this command to generate a .p12 file consisting of both the ssoserver.cer and ssoserver.key file:
openssl pkcs12 -export -in /ssl/ssoserver.cer -inkey /ssl/ssoserver.key -name "ssoserver" -passout pass:changeme -out /ssl/ssoserver.p12
Note: Do not modify the -passout value. This must remain as changeme.
- Run this command to backup the existing ssoserver.p12 file:
cp /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12 /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12.backup
- Run this command to replace the old ssoserver.p12 file with the newly generated ssoserver.p12 file:
cp /ssl/ssoserver.p12 /usr/lib/vmware-sso/vmware-sts/conf/ssoserver.p12
- In a environment that is running vCenter Server 5.5 and the new lookup service CA certificate is different from the old lookup service certificate, run these steps:
- Run this command to update the SSO endpoints on port 7444 with the CA certificate of the new lookup service certificate.
python ls_update_certs.py --url https://FQDN_of_Platform_Services_Controller/lookupservice/sdk --fingerprint Old_Certificate_Fingerprint --certfile New_CA_Certificate_Path --user [email protected] --password "Password"
For example:
python ls_update_certs.py --url https://psc.vmware.com/lookupservice/sdk --fingerprint 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 --certfile /certs/cert.crt --user [email protected] --password "Password" - Update the <PATH> on vCenter Server 5.5 with the CA certificate of the new lookup service certificate.
- Run these commands to restart the vCenter Server 5.5 services.
service-control --stop --all
service-control --start --all
- Run this command to update the SSO endpoints on port 7444 with the CA certificate of the new lookup service certificate.
- Run these commands to restart the Platform Services Controller services:
Note: If the Platform Services Controller is external from VMware vCenter Server, restart the services on all VMware vCenter Server machines registered with the Platform Services Controller.
For more information, see:- Stopping, starting, or restarting VMware vCenter Server 6.0 services (2109881)
- Stopping, starting, or restarting VMware vCenter Server Appliance 6.0 services (2109887)
service-control --stop --all
service-control --start --all
VMware vCenter Server installed on a Microsoft Windows Server
This process is for generating and and replacing the Lookup Service SSL certificate for vCenter Server 6.0 installed on a Microsoft Windows Server.For more information on generating and replacing the Lookup Service SSL certificates for the VMware vCenter Server Appliance 6.0, see the VMware vCenter Server Appliance 6.0 section within this article.
Note: This sections assumes a default installation on the C:\ drive. If vCenter Server is installed on different drive than C:\, these commands must be changed to the appropriate drive. The OpenSSL config path must also be changed with this command:
set OPENSSL_CONF=Drive:\Program Files\VMware\vCenter Server\openSSL\openssl.cfg
For example:
set OPENSSL_CONF=D:\Program Files\VMware\vCenter Server\openSSL\openssl.cfg
To generate and replace the Lookup Service SSL certificate:
- Log in as an administrator to the Microsoft Windows Server with the Platform Services Controller installed.
- Open an elevated command prompt.
- Run this command to create a temporary directory to store files during generation:
C:\> mkdir C:\ssl
- Using a text editor, open the C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file and provide the custom details pertaining to your environment and save the file.
Note: VMware recommends using Microsoft Notepad.
Run this command to open the file using a Notepad:
C:\> notepad "C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"
Note: It is important to ensure that hostname is correct. The IP address value is optional.
- Run this command to generate a new private and public key for the Lookup Service:
C:\> "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --server localhost --genkey --privkey=C:\ssl\ssoserver.key --pubkey=C:\ssl\ssoserver.pub
- Run this command to generate a new certificate for the Lookup Service using the previously generated private key and certool.cfg file:
C:\> "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --gencert --cert=C:\ssl\ssoserver.cer --privkey=C:\ssl\ssoserver.key --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"
Note: If you are using external CA as your certificate authority: run C:\> "C:\Program Files\VMware\vCenter Server\vmcad\certool.exe" --initcsr --privkey=C:\ssl\ssoserver.key --pubkey=C:\ssl\ssoserver.pub --csrfile=C:\ssl\ssoserver.csr --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg" and get the generated ssoserver.csr signed by your Enterprise CA.
- Run this command to generate a .p12 file consisting of both the ssoserver.cer and ssoserver.key file:
C:\> "C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe" pkcs12 -export -in C:\ssl\ssoserver.cer -inkey C:\ssl\ssoserver.key -name "ssoserver" -passout pass:changeme -out C:\ssl\ssoserver.p12
Note: Do not modify the -passout value. This must remain as changeme .
- Run this command to backup the existing ssoserver.p12 file:
C:\> copy "C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\ssoserver.p12" "C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\ssoserver.p12.backup"
- Run this command to replace the old ssoserver.p12 with the newly generated ssoserver.p12 file:
C:\> copy "C:\ssl\ssoserver.p12" "C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\ssoserver.p12"
- In a environment that is running vCenter Server 5.5 and the new lookup service CA certificate is different from the old lookup service certificate, run these steps:
- Run this command to update the SSO endpoints on port 7444 with the CA certificate of the new lookup service certificate.
python ls_update_certs.py --url https://FQDN_of_Platform_Services_Controller/lookupservice/sdk --fingerprint Old_Certificate_Fingerprint --certfile New_CA_Certificate_Path --user [email protected] --password "Password"
For example:
python ls_update_certs.py --url https://psc.vmware.com/lookupservice/sdk --fingerprint 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8 --certfile /certs/cert.crt --user [email protected] --password "Password" - Update the C:\ProgramData\VMware\SSL\ca_certificates.crt on vCenter Server 5.5 with the CA certificate of the new lookup service certificate.
- Run these commands to restart the vCenter Server 5.5 services.
C:\>"C:\Program Files\VMware\vCenter Server\bin\service-control.bat" --stop --all
C:\> "C:\Program Files\VMware\vCenter Server\bin\service-control.bat" --start --all
- Run this command to update the SSO endpoints on port 7444 with the CA certificate of the new lookup service certificate.
- Run these commands to restart the Platform Services Controller services:
C:\>"C:\Program Files\VMware\vCenter Server\bin\service-control.bat" --stop --all
C:\>"C:\Program Files\VMware\vCenter Server\bin\service-control.bat" --start --all
Note: If the Platform Services Controller is external from vCenter Server, restart the services on all vCenter Server machines registered with the Platform Services Controller.
For more information, see:
Additional Information
If you do not want to use the VMware Certificate Authority to generate the certificate, you can manually generate the Certificate Signing Request and provide it to your desired Certificate Authority.
How to stop, start, or restart vCenter Server 6.x services
Stopping, starting, or restarting VMware vCenter Server Appliance 6.x services
Platform Services Controller 6.0 における Lookup Service の SSL 証明書を置き換える
vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
For more information, follow the steps for VMware vCenter Single Sign-On 5.5 in Creating certificate requests and certificates for vCenter Server 5.5 components (2061934) to generate new certificate files for the Lookup Service.
Creating certificate requests and certificates for vCenter Server 5.5 componentsHow to stop, start, or restart vCenter Server 6.x services
Stopping, starting, or restarting VMware vCenter Server Appliance 6.x services
Platform Services Controller 6.0 における Lookup Service の SSL 証明書を置き換える
vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
Feedback
Yes
No
Powered by
