Procedure for STORE KMS_ENCRYPTION certificate renewal within vSphere environments, specifically concerning whether a simple UI refresh is sufficient or if manual trust re-establishment is required.

vSphere 8.x

The trust relationship is based on a certificate exchange. When a certificate is renewed on the KMS, the previous "handshake" becomes invalid because the cryptographic thumbprint has changed. Manual intervention is required to explicitly "accept" the new identity of the KMS.

Refreshing the vSphere Client is insufficient as it only updates the management interface view.

Customer must manually update the trust relationship to maintain secure communication.

To renew a client certificate directly from the vSphere Client by generating a Certificate Signing Request (CSR), follow these steps:

1. Take a snapshot or a backup of the vCenter before proceeding: Snapshot Best practices for vCenter Server Virtual Machines

2. Navigate to Key Providers:
In the vSphere Client, go to vCenter Server > Configure > Security > Key Providers.

3. Initiate the Trust Update:
Select the affected Key Provider (e.g., CipherTrust) from the list.
Click Establish Trust and select Make KMS trust vCenter (or New Certificate Signing Request).

4. Generate the CSR:
In the dialog, ensure New Certificate Signing Request (CSR) is selected.
Click Next/OK. vCenter will generate a new private key internally and display the CSR text.
Click Download to save the CSR as a `.pem` or `.csr` file.

5. Sign the Certificate in KMS:
Access your KMS (e.g., CipherTrust Manager) and navigate to the KMIP section.
Look for Client Certificates and choose Create Certificate from CSR.
Upload the CSR file downloaded from vCenter. The KMS will provide a signed `.pem` certificate in return.

6. Complete the Process in vCenter:
Return to the Key Providers screen in vCenter.
Select the provider, click Establish Trust, and select Upload Signed CSR Certificate.
Upload the signed certificate file received from your KMS.