• After replacing the vCenter Machine SSL certificate with one valid for less than 360 days, the external security scanners detect "SSL Certificate - Invalid Maximum Validity Date Detected" on ports 636 (LDAPS) and 3128 (vpxd-proxy)
• Browser access on port 443 reflects the correct new certificate.
• The below output returns the old Machine SSL certificate: 
  • openssl s_client -connect <VC_IP>:<Port_Number> -showcerts

VMware vCenter Server 8.x

VMware vCenter Server 7.x

The vmdir service (VMware Directory Service) relies on a static certificate file located at /usr/lib/vmware-vmdir/share/config/vmdircert.pem. In certain scenarios, the Certificate Manager utility does not synchronize the new Machine SSL certificate from the VECS store to this specific filesystem path.

Note: Take offline snapshot of all the vCenter in linked mode.

Follow the below steps: 

• SSH to the vCenter. 
• Export the current valid Machine SSL certificate from the VECS store to a temporary file:
  • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/core/machine_ssl.pem
• Backup the existing vmdir certificate:
  • cp /usr/lib/vmware-vmdir/share/config/vmdircert.pem /usr/lib/vmware-vmdir/share/config/vmdircert.pem.bak
• Replace the vmdir certificate with the exported Machine SSL certificate:
  • cp /var/core/machine_ssl.pem /usr/lib/vmware-vmdir/share/config/vmdircert.pem
• Restart all vCenter services to apply the change:
  • service-control --stop --all && service-control --start --all
• Verify the certificate presented on the impacted ports:
  • openssl s_client -connect localhost:<Port_Number>  -showcerts