vCenter triggered an alarm regarding LDAPS certificate expiry or LDAPS user authentication stops working due to LDAPS certificate expired:  "Identity Source LDAP Certificate is about to expire"

vCenter Server 7.0

vCenter Server 8.0

LDAPS Identity Provider SSO authentication relies on LDAPS service machine certificate to be valid for authentication to succeed. If the LDAPS certificate expires, authentication via this Identity Provider will fail.

Follow the below steps to fix the issue:

• Verify the validaity of the certificate using either of the below commands:
  • /opt/vmware/bin/sso-config.sh -get_identity_sources
  • openssl s_client -connect domain_controller.example.com:636 -showcerts
• Renew the certificates on the Domain controller.
• Remove existing LDAPS IdP configuration and re-create it using new LDAPS machine certificate chain:
  • Take snapshot of VCSA VM prior to making any changes.
    • If the vCenter is part of a Linked Mode replication setup, please backup/snapshot all replicating nodes as well. Please refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
    • Perform the following steps on only one of the linked vCenter servers, since the IdP configuration will be replicated to the other linked vCenter servers.
  • Take note of the current LDAPS configuration as you will need these details to re-create the LDAPS configuration.
  • Remove the existing LDAPS configuration and re-create it using the new LDAPS machine certificate (KB 316596).
    • NOTE: Make sure the certificate file being used is a valid ".cer" or ".crt". File format ".p7b" is not valid for this use.

Fails to save LDAPS configuration if trying to edit the existing configuration:

• The configuration needs to be removed and re-created to update the LDAPS certificate.