Renew expiring/expired LDAPS certificate for vCenter SSO IdP

search cancel

book

calendar_today

VMware vCenter Server 7.0 VMware vCenter Server 8.0

vCenter triggered alarm stating the LDAPS certificate is due to expire, or LDAPS user authentication stops working due to LDAPS certificate expired.

vCenter Server 7.0

vCenter Server 8.0

LDAPS IdP SSO authentication relies on LDAPS service machine cert to be valid for authentication to succeed.

- If the LDAPS certificate expires, authentication via this IdP will start to fail.

Remove existing LDAPS IdP configuration and re-create it using new LDAPS machine certificate.

Take proper snapshot of VCSA VM prior to making any changes.
- If in ELM take offline snapshots of all linked VCSA VMs and perform the following steps on only one of the linked vCenter servers, since the IdP configuration will be replicated to the other linked vCenter servers.
Take note of the current LDAPS configuration as you will need these details to re-create the LDAPS configuration.
Remove the existing LDAPS configuration and re-create it using the new LDAPS machine certificate (KB 316596).
- NOTE: Make sure the cert file being used is a valid ".cer" or ".crt". File format ".p7b" is not valid for this use.

Use proper certificate file for VC LDAPS IdP configuration:

If you have only the ".p7b" file, import the cert to the "Personal" cert folder of the client machine being used (if Windows use Certificate Manager for local machine).
Export the cert as Base64. This should create a cert in ".cer" format. You should be able to view this cert with notepad in clear text, and when you double click it, it should open successfully in Windows Certificate Manager.
Once the cert is exported, delete the cert from "Personal" folder that was imported from the ".p7b" file.

Fails to save LDAPS configuration if trying to edit the existing configuration:

The configuration needs to be removed and re-created to update the LDAPS certificate.

thumb_up Yes

thumb_down No