Replacing Expiring Self-Signed VMware Certificate Authority (VMCA) Root Certificate on vCenter Server using the vCert script
search cancel

Replacing Expiring Self-Signed VMware Certificate Authority (VMCA) Root Certificate on vCenter Server using the vCert script

book

Article ID: 438284

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • It is observed that VMware Certificate Authority (VMCA) certificate is nearing its expiration date. This is typically identified through expiration alarms in the vSphere Client.
  • If the VMCA certificate is allowed to expire, it can result in service interruptions, authentication failures, and an inability to manage the vSphere environment.
  • An external third-party CA (Certificate Authority) is not being used or is not required for the signing of vSphere certificates.  

Environment

VMware vCenter Server

Cause

  • By design, security certificates have a defined lifecycle and are expected to expire after a set period to maintain environmental security.

Resolution

To resolve this issue, you must replace the expiring VMCA root certificate and regenerate all dependent certificates using the vCert utility. Please note that this procedure is for replacing self 

  1. Perform an Offline Snapshot: Prior to making certificate changes, take an offline snapshot of the VCSA. If the vCenter is part of an Enhanced Linked Mode (ELM) configuration, you must power off and take snapshots of all VCSAs in the environment simultaneously. Please refer to KB 313886.

  2. Access the CLI: Connect to the vCenter Server via SSH using root credentials.

  3. Run vCert Utility:

    • Install and launch the vCert utility. Please refer to KB 385107 for details.

    • From the main menu, select 3. Manage certificates.

    • Select 9. VMCA certificate.

    • Select 2. Replace VMCA certificate with a self-signed certificate and regenerate all certificates.

  4. Authentication: When prompted, authenticate using [email protected] (or your equivalent SSO administrator account).

  5. Configuration: Accept the default values for all prompts by pressing Enter (default values are displayed within brackets [ ]).

  6. Reset STS Signing Certificate: When the utility completes the VMCA replacement, it will prompt: Replace STS Signing Certificate? [N]. Input Y to ensure the Security Token Service (STS) certificate is also refreshed.

  7. Restart Services: When prompted Restart VMware services [N], input Y.

  8. Verification: Once services have restarted, log in to the vSphere Client and VAMI to verify that access is restored and expiration alarms are cleared.

Additional Information

Powered by Wolken Software