vCenter certificates and the root VMCA certificate have expired and need renewed/regenerated.
search cancel

vCenter certificates and the root VMCA certificate have expired and need renewed/regenerated.

book

Article ID: 423918

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Services won't start when attempted at the CLI and the vCenter GUI isn't accessible.
  • When attempting to regenerate certificates using the process outlined in KB 318767, the process hangs or fails with errors:

    You are going to reset by regenerating Root Certificate and replace all certificates using VMCA

    Continue operation : Option[Y/N] ? : y

    Status : 60% Completed [Reset vpxd-extension Cert...]

    2025-12-23T23:30:05.312Z  Updating certificate for "com.vmware.vim.eam" extension

    2025-12-23T23:30:06.053Z  Updating certificate for "com.vmware.rbd" extension

    2025-12-23T23:30:06.661Z  Updating certificate for "com.vmware.imagebuilder" extension

Reset status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Reset operation failed]

please see /var/log/vmware/vmcad/certificate-manager.log for more information.

Environment

VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x

Cause

Certificates on the VCSA expire over time and will need to be renewed and/or regenerated for the VCSA to function properly.

Resolution

  • Do not modify or extract the ZIP file downloaded.
  • Upload the vCert ZIP file exactly as downloaded from the KB above to the /root user directory of the VCSA experiencing the issue, using WinSCP, FileZilla or similar tool.
  • IMPORTANT:  Take an offline snapshot of the VCSA experiencing the issue directly from the ESXi host currently hosting it.  If using ELM, then take an offline snapshot of all VCSAs that participate in the ELM.
  • Power the VCSA VM(s) back online and give them 5-10 minutes to fully startup, even when some of the services are unable to start.
  • Connect to the VCSA CLI using SSH (Putty of similar) using the root credentials.
  • Install and run the vCert utility as described in KB 385107 Installation section.
  • Inside of the vCert menu select the following sequence of options:

    3. Manage certificates
    9. VMCA certificate
    2. Replace VMCA certificate with a self-signed certificate and regenerate all certificates.

  • Authenticate using the [email protected] or equivalent account
  • Accepted all of the default values (default values is displayed inside of the brackets [ ] ) for the entire process, when prompted by pressing enter.
  • The vCert utility will then start replacing the VMCA root certificate and all other certificates based on it.
  • When it's completed, it will ask you if you want to reset the STS Signing Certificate.  Read the information presented at this prompt. before inputting Y or N.

    Replace STS Signing Certificate? [N]:
  • When prompted to restart services, input Y and allow services to start as expected:

    Restart VMware services [N]:  Y
  • Test the vCenter GUI and VAMI to make sure access has been restored.

Additional Information

vCert - Scripted vCenter expired certificate replacement
Using the VCF Diagnostic Tool for vSphere (VDT)
Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B
Toggling the vCenter Server Appliance default shell

Powered by Wolken Software