Renew expiring/expired LDAPS certificate for vCenter SSO Identity Provider
Article ID: 371578
Updated On:
Products
VMware vCenter Server 7.0
VMware vCenter Server 8.0
Issue/Introduction
vCenter triggered an alarm regarding LDAPS certificate expiry, or LDAPS user authentication stops working due to the LDAPS certificate expired: "Identity Source LDAP Certificate is about to expire"
Cause
LDAPS Identity Provider SSO authentication relies on the LDAPS service machine certificate to be valid for authentication to succeed. If the LDAPS certificate expires, authentication via this Identity Provider will fail.
Resolution
- Verify the validity of the certificate using either of the following commands:
/opt/vmware/bin/sso-config.sh -get_identity_sourcesopenssl s_client -connect domain_controller.example.com:636 -showcerts
- Renew the certificates on the Domain controller.
- Remove the existing LDAPS IdP configuration and re-create it using the new LDAPS machine certificate chain:
- Take a snapshot of the VCSA VM before making any changes.
- If the vCenter is part of a Linked Mode replication setup, ensure there is a backup/snapshot for all replicating nodes. Refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
- Perform the following steps on only one of the linked vCenter servers, since the IdP configuration will be replicated to the other linked vCenter servers.
- Take note of the current LDAPS configuration, as the details are needed to re-create the LDAPS configuration.
- Remove the existing LDAPS configuration and re-create it using the new LDAPS machine certificate. Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS).
- NOTE: Make sure the certificate file being used is a valid ".cer" or ".crt". File format ".p7b" is not valid for this use.
- Take a snapshot of the VCSA VM before making any changes.
Additional Information
Use proper certificate files for VC LDAPS IdP configuration:
- If working with only the ".p7b" file, import the cert to the "Personal" cert folder of the client machine being used (if Windows use Certificate Manager for local machine).
- Export the cert as Base64. This should create a cert in ".cer" format. Notepad can be used to view this cert in clear text. When the cer file is double-clicked, it should open successfully in Windows Certificate Manager.
- Once the cert is exported, delete the cert from "Personal" folder that was imported from the ".p7b" file.
Fails to save LDAPS configuration if trying to edit the existing configuration:
- The configuration needs to be removed and re-created to update the LDAPS certificate.
Feedback
Yes
No
Powered by
