vCenter STS Certificate Will Not Renew
search cancel

vCenter STS Certificate Will Not Renew

book

Article ID: 420242

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

 

 

Unable to renew the upcoming expiring certificates using vCert tool. Attempts were made to renew each particular components like Solution users, STS, etc with VMCA self-signed but upon restarting the vCenter services it only shows 10 days validity.

 

Checking Certificate Status
-----------------------------------------------------------------
Checking Machine SSL certificate                            VALID
Checking Solution User certificates:
   machine                                                             10 DAYS
   vsphere-webclient                                             10 DAYS
   vpxd                                                                  10 DAYS
   vpxd-extension                                                  10 DAYS
   hvc                                                                    10 DAYS
   wcp                                                                    10 DAYS
Checking SMS self-signed certificate                   17 DAYS
Checking SMS VMCA-signed certificate              10 DAYS
Checking data-encipherment certificate               10 DAYS
Checking Authentication Proxy certificate            10 DAYS
Checking Auto Deploy CA certificate                    NO SKID
Checking VMDir certificate                                10 DAYS
Checking BACKUP_STORE entries:
   bkpmachine                                             10 DAYS
   bkpvsphere-webclient                                   10 DAYS
   bkpvpxd                                                10 DAYS
   bkpvpxd-extension                                      10 DAYS
   bkp__MACHINE_CERT                                      EXPIRED
   bkp___MACHINE_CERT                                     EXPIRED
   bkp_machine                                            10 DAYS
   bkp_vsphere-webclient                                  10 DAYS
   bkp_vpxd                                               10 DAYS
   bkp_vpxd-extension                                     10 DAYS
   __MACHINE_CERT                                         EXPIRED
Checking legacy Lookup Service certificate                10 DAYS
Checking VMCA certificate                                 10 DAYS

Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
   TenantCredential-1 signing certificate                 10 DAYS
   TenantCredential-1 CA certificate                      10 DAYS
Checking TrustedCertChain-1:
   TrustedCertChain-1 signing certificate                 10 DAYS
   TrustedCertChain-1 CA certificate                      10 DAYS

Environment

vCenter 8.x

Cause

At this case customer had a custom CA certificates that was assigned to them by their internal CA server and some are linked to solution users, STS and etc.

Resolution

 

a. Create a snapshot backup copy of the vCenter (if linked-mode need all VCs powered off then create individual offline snapshots).

b. Execute the vCert.py tool again.

c. From main menu option 3 then 6 "Reset all certificates with VMCA-signed certificates.

d. Restart the vCenter services.

e. Check access to both VAMI and web-UI, also verify if able to access too using users AD credentials.

f. From the vCenter > Administration > Certificate management > verify all the certs are set to expire 10 yrs not 10 days

 

At this stage vCenter is accessible customer had to manually load again the SSL custom cert again on the vCenter.

 

Powered by Wolken Software