Cannot renew Trusted Root Certificates on vCenter 7.0.3

search cancel

Cannot renew Trusted Root Certificates on vCenter 7.0.3

book

Article ID: 403080

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

You have renewed Trusted Root Certificate using the option 8 (or 4) of certificate manager Using vSphere Certificate Manager to Replace SSL Certificates

When checking the certificates you can still see Trusted Root Certificates present in the environment

Alias : ###################################
            Not After : Jul  4 09:14:20 2025 GMT
Alias : ###################################
            Not After : Jul  7 13:06:27 2025 GMT

Environment

vCenter Server 8.x

vCenter Server 7.x

Cause

This is expected behavior
After renewing Trusted Root Certificate with Using vSphere Certificate Manager to Replace SSL Certificates, you need to unpublish certificate from VMDIR and
Delete if from VECS
Depending if the ESXi host is using the certificates refresh certificates on the ESXi host

Resolution

After renewing Trusted Root Certificate with Using vSphere Certificate Manager to Replace SSL Certificates, you need to proceed with the following

Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

After the above steps are done, you may need to refresh ESXi host certificates depending if ESXi host certificates are used on the host

Renew or Refresh ESXi Certificates

Feedback

thumb_up Yes

thumb_down No