How to update expired intermediate certificate on the vCenter server
search cancel

How to update expired intermediate certificate on the vCenter server

book

Article ID: 390761

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains the steps to replace an expired intermediate certificate with updated certificates.

Pre-requisites:

  1. Validate the current certificate chain using the command below.

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | less

# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

    Reference: Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x

  2. Validate the Key Identifier (Subject and Authority Key) of the intermediate certificate — it should match the old certificate in both fields, with only the updated details.

    2.1 If the key identifier of the new intermediate certificate differs, you will need to renew all certificates in the vCenter.

    Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

Environment

7.x

8.x

Cause

The vCenter Server is failing to start certain services because the intermediate certificate has expired. When the intermediate certificate is no longer valid, the certificate chain breaks, leading to service startup failures until the expired certificate is replaced or renewed.

Resolution

Here are the steps to update the expired intermediate certificate:

 

Important Note: Before proceeding with step #4, make sure to obtain the "Intermediate Certificate" from the CA and then continue with the steps below.

 

  1. Back up the current Machine SSL certificate.

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/ssl_backup.cer

     

  2. Back up the Machine SSL key

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/ssl_key.key


  3. Remove the Machine SSL certificate from the store

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y


  4. Remove the old intermediate certificate from the trusted roots store

    Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)


  5. Publish the new intermediate certificate to the trusted roots store

    # /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /var/core/intermediate.cer --login administrator


  6. Refresh the VECS store

    # /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh


  7. Create the certificate chain

    a. Save your individual certificates as machine_certificate.cer, intermediate_certificate.cer, and root_certificate.cer

     b. create the chain:

    cat machine_certificate.cer intermediate_certificate.cer root_certificate.cer > /var/core/ssl.cer


  8. Publish the new certificate chain to the SSL store

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /var/core/ssl.cer --key /var/core/ssl_key.key


  9. Refresh the VECS store again

    # /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh


  10. Restart all vCenter services.

    # service-control --stop --all && service-control --start --all
Powered by Wolken Software