How to replace Expired vCenter Certificates in a VMware Cloud Foundation Environment
search cancel

How to replace Expired vCenter Certificates in a VMware Cloud Foundation Environment

book

Article ID: 342636

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This KB is to assist customers with replacing expired vCenter SSL certificates in a vCF environment

Symptoms:
vCenter certificates in a VMware Cloud Foundation Environment have Expired

Environment

VMware Cloud Foundation 3.10.x
VMware Cloud Foundation 4.x
VMware Cloud Foundation 3.8.x
VMware Cloud Foundation 3.9.x

Resolution

Expired VMCA certificates need to be replaced first, then we can replace the rest of the certificates

Note: sts certificates are not managed by SDDC-Manager, and should be replaced using the appropriate KBs:
 
It is recommended that you use CA signed certificates when you do this replacement, but you can replace vCenter certificates with Self Signed certificates

Replace VMCA certificate:
 
Follow the steps in the following KB: https://kb.vmware.com/s/article/2112277

Replace vCenter Machine certificate:
 
Follow the steps in the following KB: https://kb.vmware.com/s/article/2112277

Replace PSC Machine certificate (vCF 3.x only):
 
Follow the steps in the following KB: https://kb.vmware.com/s/article/2112277

Reestablishing trust with SDDC-Manager:

Note: If the root certificate or VMCA certificate where not replaced, then trust should be reestablished automatically

Note: We will need to use the following steps to import both root and intermediate certificates
  1. Use any file transfer utility to copy root CA certificate file to the /tmp directory on the SDDC-Manager VM.
  2. SSH to SDDC-Manager and change to the root user:
su
  1. Run the below command to get commonsvcs truststore password
cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key
  1. Use the following command to import root CA to commonsvcs truststore:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
 
Note: <aliasname> : This can be any user defined name. <certificate file> : Provide the path of root CA Certificate
  1. When prompted, provide the password to add certificate to truststore obtained in step 3.
  2. Type yes when prompted to trust the certificate.
  3. Verify if new root CA is added to common services truststore, enter the password for truststore key obtained in step 3.
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
  1. Use the following command to import root CA to SDDC-Manager truststore:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts 
 
Note: <aliasname> : This can be any user defined name. <certificate file> : Provide the path of root CA Certificate
  1. When prompted, provide the password to add certificate to truststore. The default password is "changeit".
  2. Type yes when prompted to trust the certificate.
  3. Verify if new root CA is added to SDDC-Manager truststore.
keytool -list -v -keystore /etc/alternatives/jre/lib/security/cacerts
  1.  After importing CA certificate to the truststore, restart all the SDDC-Manager Services.  
/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh


Powered by Wolken Software