Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
Article ID: 318767
Updated On: 12-15-2024
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to regenerate the vSphere 6.x, 7.x, and 8.0 certificates using a new self-signed certificate in the VMware Certificate Authority (VMCA).
Note: This process can be useful to quickly recover from a scenario where the vCenter Server certificates have expired.
Note: This process can be useful to quickly recover from a scenario where the vCenter Server certificates have expired.
Environment
- VMware vCenter Server 8.x
- VMware vCenter Server 7.x
- VMware vCenter Server 6.x
Resolution
- Ensure that the STS certificate is valid before regenerating the certificate using Certificate Manager.
- Checking Expiration of STS Certificate on vCenter Servers - https://knowledge.broadcom.com/external/article/318968
- Another option is to use this one-line script:
DMN="$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost)"; DMN_DN="dc=$(echo "$DMN" | sed -e 's/\./\,dc=/g')"; ldapsearch -H ldap://localhost -D "cn=administrator,cn=users,$DMN_DN" -W -b "cn=tenantcredential-1,cn=$DMN,cn=Tenants,cn=IdentityManager,cn=Services,$DMN_DN" userCertificate -o ldif-wrap=no | sed -s -n '11p' | sed 's/userCertificate:: //' | awk '{print "-----BEGIN CERTIFICATE-----\n"$0"\n-----END CERTIFICATE-----"}'|openssl x509 -noout -text -in /dev/stdin- Note: The above one-line script will prompt: "Enter LDAP password", this is the same password as the administrator@vsphere.local or similar account.
- Another option is to use this one-line script:
- If STS certificate is expired or corrupted, certificate regeneration will fail due to the service dependencies like vmware-stsd and vmware-vapi-endpoint failing to start without a valid token.
- Checking Expiration of STS Certificate on vCenter Servers - https://knowledge.broadcom.com/external/article/318968
- When selecting "Option 8" note that this task replaces the VMCA Root Certificate with a new self-signed certificate and then the Machine SSL and Solution User certificates with new certificates issued by the VMCA.
- If running an external Platform Services Controller, please ensure the certificates are also not expired and run the vSphere 6.x Certificate Manager on the external vCenter Server 6.x and perform these tasks:
- Replace Machine SSL certificate with VMCA Certificate (Option 3)
- Replace Solution user certificates with VMCA certificates (Option 6)
Follow the below steps to replace other Certificates after replacing the STS Certificate.
Note: Take a snapshot or a backup of the vCenter before proceeding.
To regenerate the vSphere 6.x certificates using a new self-signed VMware Certificate Authority certificate:
- Launch the vSphere 6.x Certificate Manager.
For vCenter Server 6.x/7.x Appliance:/usr/lib/vmware-vmca/bin/certificate-manager
For Windows vCenter Server 6.x:C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
- Select Option 4 (Regenerate a new VMCA Root Certificate and replace all certificates)
Note: Selecting Option 8 (Reset all Certificates), both options perform the same functionality. (The difference is that option 8 does not perform automatic Rollback of the certificates). Option 8 is needed when both the Machine SSL certificate and Solution users certificates are expired.
- Type the
administrator@vsphere.localpassword when prompted. - If this is the first time VMCA certificates are re-generated on this system, there will be a prompt to configure the certool.cfg file. On subsequent tasks, these values can be re-used.
Note: These values are used to define certificates issued by VMCA.
Enter these values as prompted by the VMCA (See Step 5 to confirm the Name/Hostname/VMCA):Please configure certool.cfg file with proper values before proceeding to next step.Press Enter key to skip optional parameters or use Default value.Enter proper value for 'Country' [Default value : US] :(Note: Value for Country should be only 2 letters)Enter proper value for 'Name' [Default value : CA] :(Note: As stated below, this value will be the PNID)Enter proper value for 'Organization' [Default value : VMware] :Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :Enter proper value for 'State' [Default value : California] :Enter proper value for 'Locality' [Default value : Palo Alto] :Enter proper value for 'IPAddress' [optional] :Enter proper value for 'Email' [Default value : email@acme.com] :Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.example.com] :Enter proper value for VMCA 'Name':(Note: This information will be requested from vCenter Server 6.0 U3, 6.5 and later builds, you may use the FQDN/PNID of vCenter Server for this field. It will be used as a Common Name for the VMCA Root Certificate)
- Type Yes (Y) to the confirmation request to proceed.
You are going to regenerate Root Certificate and all other certificates using VMCAContinue operation : Option[Y/N] ? : Y
Note: This step automatically restarts the vCenter Server services. Additionally, the Name, Hostname, and VMCA values should match the Primary Network Identifier (PNID) of the node where the Certificates are being replaced. The PNID should always match the Hostname. In order to obtain the PNID please run these commands:
For vCenter Server Appliance (VCSA)/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
IMPORTANT:
If the vCenter's PNID and hostname are configured as 'localhost' (this is a not recommended configuration):
- Do not use 'localhost' when prompted to add alternate SAN (Subject Alternative Name) names to the certificate.
- For vCenters accessed by IP address: Be sure to include the vCenter's IP address when prompted to the certificate.
- Adding an IP address is optional for certs that use valid FQDN names.
For Windows vCenter Server
C:\Program Files\VMware\vCenter Server\vmafdd\" vmafd-cli.exe get-pnid --server-name localhost
After successfully regenerating the certificates.
- Login to vCenter and check if there is a "Certificate Status" alarm.
- If there is an alarm then clear vCenter certificate backup store using the steps mentioned in KB Certificate alarm - Clearing BACKUP_STORES certificates in the VCSA
- Login back to vCenter and reset the "Certificate Status" alarm to green as this alarm will not reset on its own.
Additional Information
- Replace certificates on vCenter server using the Fixcerts script
-
The script is able to replace the following Certificates on vCenter Server:
VMCA Root
MACHINE SSL
Secure Token Signing (STS)
Solution Users
LookupService or STS_INTERNAL_SSL_CERT
data-encipherment
SMS
Expired Certificates from TRUSTED_ROOTS store
Non-CA Certificates from TRUSTED_ROOTS store
Update thumbprints for vpxd extensions eam, rbd and imagebuilder
-
- VMware Skyline Health Diagnostics for vSphere - FAQ (345059)
- Updating External Solutions after replacing the vCenter Server SSL certificate (367539)
- How to use vSphere Certificate Manager to Replace SSL Certificates (318946)
- Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate (324990)
- How to replace the vSphere 6.0 Solution User certs with VMCA issued certs (313947)
Feedback
Yes
No
Powered by
