VMware vCenter Server 8.X

VMware vCenter Server 7.X

• After new Root Certificate was being generated, the old one needs to be unpublished from vmdir and VECS store 

1. Review the certificate stores to confirm the old Root Certificate is not signing or being in use for any other certificate in the environment. Read more at Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x
2.  One it is confirmed the old certificate is not in use anymore proceed with below steps
3. Take a snapshot of the vCenter. Offline snapshots if linked mode is enabled, online snapshots if there is only one vCenter and no linked mode in place. Read more at Snapshot Best practices for vCenter Server Virtual Machines
4. Once snapshots are completed proceed to unpublish the certificate. Ream more at Verify and remove CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

• When checking if the Root certificate is signing any other certificate in the environment make sure to note below:
  • Old Trusted Root Certificate Subject Key Identifier

    12:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:21
    
    

  • Compare the Subject Key Identifier from the old Root Certificate above with certificates from all stores such as Machine SSL, machine, vpxd etc and see if it matches with their Authority Key Identifier

    In the example below we see the Authority Key Identifier is not matching with the Subject Key Identifier of the Root Certificate, meaning the vpxd certificate below is not signed with the Old Root Certificate. Proceed to check for all stores 

    vpxd
    
     X509v3 Subject Key Identifier:
                    ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
                X509v3 Authority Key Identifier:
                    45:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:54