Replacing vRSLCM certificates signed with VMCA Authority
search cancel

Replacing vRSLCM certificates signed with VMCA Authority

book

Article ID: 409301

calendar_today

Updated On:

Products

VMware SDDC Manager VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • vRSLCM (VMware Aria Suite Lifecycle Manager) Certificate is expired

  • Unable to generate CSR from SDDC
  • SDDC upgrade precheck fails due to vRSLCM certificate issues/expiration. Error: "The provided hostname #### is invalid or the SSL certificate for #### is not trusted"

Environment

VMware Cloud Foundation 4.x , 5.x

vRealize Lifecycle Manager 8.x

vCenter Server 7.x, 8.x

Cause

  • vRSLCM (VMware Aria Suite Lifecycle Manager) Certificate is expired or expiring soon. 
  • Need renewal using VMCA Authority

Resolution

  • Generate CSR on vRSLCM using the GUI -> Locker -> Certificates -> Generate CSR  [ NOTE: Enter valid vRSLCM node FQDN and IP address ]
  • The CSR and private key are downloaded by the browser in a single .pem file 

  • Split this .pem into 2 files:

a. one with the CSR (CSR.pem) and

b. one with only Private KEY (CSR.key).

  • Follow below steps to get the CSR Signed by VMCA on vCenter server. Create cert.cfg as per KB replacing-sddc-certificates-with-vmca  ( refer Steps 3 and 5):  
    • Copy CSR.pem and CSR.key files created above into /tmp/certs on vCenter server
    • Sign the Certificate using below command:

# openssl x509 -req -days 3650 -in CSR.pem -out CSR.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile cert.cfg 

    • Create certificate chain containing vCenter VMCA root (/var/lib/vmware/vmca/root.cer) and the certificate generated using below command

# cat CSR.crt >> <vRSLCM-Name>.pem
# cat /var/lib/vmware/vmca/root.cer >> <vRSLCM-Name>.pem

  • Now, Import the certificate (<vRSLCM-NAme>.pem) on VRSLCM using GUI -> Locker -> Certificates -> Import
    • Enter Name
    • Enter Private key (CSR.Key) | Contents from "-----BEGIN PRIVATE KEY-----" to "-----END PRIVATE KEY-----"
    • Enter certificate chain

i.e. contents of signed certificate <vRSLCM-Name>.pem from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----"

and contents of vCenter Server Path : /var/lib/vmware/vmca/root.cer from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" pasted one after the other.

NOTE: You will have to Reload vRSLCM Page from Browser to validate certificate replacement status.

  • Check on SDDC manager GUI -> Inventory -> Workload Domains -> <Select Domain> -> Security -> Check whether new Certificate is reflecting and is Active.

  • On vRSLCM, perform inventory sync for all the available Environments

e.g. for Log Insight go to vRSLCM GUI -> Lifecycle Operations -> Environments -> VRLI -> View details -> Click ... -> Trigger Inventory Sync.

Check whether Inventory sync is completes successfully.

Powered by Wolken Software