Replace certificates on vCenter server using the Fixcerts script
search cancel

Replace certificates on vCenter server using the Fixcerts script

book

Article ID: 322249

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to use the Fixcerts script to replace certificates on the vCenter Server Appliance.

The script is able to replace the following Certificates on vCenter Server:

  • VMCA Root
  • MACHINE SSL
  • Secure Token Signing (STS)
  • Solution Users
  • LookupService or STS_INTERNAL_SSL_CERT
  • data-encipherment
  • SMS
  • Expired Certificates from TRUSTED_ROOTS store
  • Non-CA Certificates from TRUSTED_ROOTS store
  • Update thumbprints for vpxd extensions eam, rbd and imagebuilder

Notes:

  • Fixcerts will replace custom certificates with VCSA self-signed certificates.
  • Fixcerts is not a replacement for the vCenter Server Certificate Management UI or CLI.
  • VMware vCenter Server Appliance (VCSA) is supported. Windows vCenter Server is not supported.
  • If Enhanced Linked Mode (ELM) is in use, take offline snapshots of all vCenter servers in the domain before proceeding

Resolution

Replace Expired Certificates

To replace only expired certificates, run the following command:

python fixcerts_3_2.py replace --certType expired_only

Replace All Certificates

To replace all certificates regardless of expiry, run the following command:

python fixcerts_3_2.py replace --certType all

-------------------------------------------------------------------

Before changes are made, certificate validity will be displayed. Enter Y to continue:

Example output after certificates have been updated:

Additional Information

Regenerate vSphere certificates CLI method:

Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA (318767)

Regenerate vSphere certificates GUI method:

Managing vCenter Server Certificates

Fixcerts additional arguments:

Restart services automatically after certificate replacement:
$ python fixcerts_3_2.py replace --certType <cert> --serviceRestart True

Replace MACHINE_SSL_CERT certificate:
$ python fixcerts_3_2.py replace --certType machinessl

Replace STS Signing certificate:
$ python fixcerts_3_2.py replace --certType sts

Replace Solution Users certificates:
$ python fixcerts_3_2.py replace --certType solutionusers

Replace data-encipherment certificate:
$ python fixcerts_3_2.py replace --certType data-encipherment

Replace LookupService certificate if STS_INTERNAL_SSL_CERT store is available:
$ python fixcerts_3_2.py replace --certType lookupservice

Replace expired certificates from SMS store:
$ python fixcerts_3_2.py replace --certType sms

Remove Non-CA certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType non-ca

Remove expired certificates from TRUSTED_ROOTS store if exists:
$ python fixcerts_3_2.py remove --storeType trusted_roots --certType expired

Update thumbprint for vpxd extensions eam, rbd and imagebuilder:
$ python fixcerts_3_2.py update --ExtensionType all
$ python fixcerts_3_2.py update --ExtensionType eam
$ python fixcerts_3_2.py update --ExtensionType rbd
$ python fixcerts_3_2.py update --ExtensionType imagebuilder

Attachments

fixcerts_3_2.py get_app