HCX appliance does not auto-renew its self-signed certificate
search cancel

HCX appliance does not auto-renew its self-signed certificate

book

Article ID: 403649

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • HCX Connector or Manager does not automatically generate a new self-signed certificate after the original certificate expires that was generated at the time of HCX deployment.
  • HCX Manager continue to function with the expired certificates.
  • The Certificate validity is verified on the HCX Manager Admin UI on port https://<hcx-manager-fqdn>:9443 by logging in as admin and navigating to Administration --> Certificate --> Trusted CA Certificate

Environment

VMware HCX 4.x

Cause

  • HCX Manager deployed in versions older than 4.4 lacks the automated task that periodically checks for expired certificate and initiating its automatic replacement.

Resolution

  • The appliance certificate can still be manually replaced by following the documentation here -->  Updating the Local Server Certificate on an HCX Manager.
  • To generate a self-signed certificate and private key pair matching with the expired certificate that was created during deployment of HCX,  use the below shell command on the HCX Manager appliance by logging in as admin, or from any system supporting the openssl utility that has connectivity to the HCX manager.
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout pkey.pem -out cert.pem -sha256 -days 875 -subj "/O=VMware/OU=Hybridity/CN=hcx.local" -addext "subjectAltName=DNS:<FQDN>,IP:<IP>"
    • reg :- Specifies the Certificate Signing Request (CSR)
    • -x509 :- OpenSSL will output a self-signed certificate
    • -newkey :- Creates a new private key at the same time
    • rsa:4096 :- RSA algorithm with a strong 4096-bit key length.
    • -sha256 :- Specifies the hash algorithm used to sign the certificate.
    • -nodes :- (Pronounced "no-DES") Stands for no DES encryption. Private key (pkey.pem) will not be protected by a password allowing the services to restart automatically.
    • -key:- out :- Defines the filename (pkey.pem) where the newly created private key will be saved.
    • -out :- Defines the filename (cert.pem) where the public certificate will be saved.
    • -days 875 :- Sets the validity period of the certificate. In this case, it will expire in 875 days.
    • -subj :- Sets the Subject field of the certificate manually, avoiding interactive prompts.
    • -addext :- Adds Subject Alternative Name (SAN) extensions to validate the certificate for specific hostnames or IP addresses.

  • The contents of the pkey.pem and cert.pem files is created in the directory from where the openssl command is executed.
  • The contents can then be pasted in the HCX Manager Admin UI that is accessed via https://<hcx-manager-fqdn>:9443

Powered by Wolken Software