- Create a folder named certs in root.
mkdir /certs
- Copy the config file:
cp /usr/lib/vmware-vmca/share/config/certool.cfg /certs/Machine_ssl_cert.cfg
- Create private and public key:
/usr/lib/vmware-vmca/bin/certool --genkey --privkey=machine_ssl_cert.priv --pubkey=machine_ssl_cert.pubkey
- Proceed to create the Certificate Signing Request(CSR):
/usr/lib/vmware-vmca/bin/certool --initcsr --privkey=machine_ssl_cert.priv --pubkey=machine_ssl_cert.pubkey --csrfile=machine.csr --config=Machine_ssl_cert.cfg
- Sign the CSR and then create a chain and name it machine.crt, refer to Obtaining vSphere certificates from a Microsoft Certificate Authority.
Note: Similar process applies to 3rd Party Custom Certificates where the Customer provides the CSR to the Certificate Vendor for generating the Signed Certificate.
- Backup and replace the local copy of the cert:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachinekey.key
- Delete the existing cert:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
- Adding the new certificate:
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine.crt --key machine_ssl_cert.priv
- Update the lookup service registration endpoints Using the 'lsdoctor' Tool (80469) trustfix option.
- vCenter 7.x - Manually
- /usr/lib/vmware-lookupsvc/tools/ls_update_certs.py --url https://<vCenterServer_FQDN>/lookupservice/sdk --certfile <cert-file-path> --user '[email protected]' --password '<password>' --fingerprint <SHA1_hash_of_the_old_certificate_to_replace>
Note: On vCenter 8.0 U2, ls_update_certs.py will fail with an attribute error. Please refer to
KB 95982 for steps to work around this.
- Restart the services.
- Verify web client shows up the New certificate and all VCSA Inventory.