Replacing an expired data-encipherment certificate on vCenter Server

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to regenerate certificate in "data-encipherment" VECS store on vCenter Server with a new certificate signed by the VMware Certificate Authority (VMCA).
Certificate in "data-encipherment" store is used by VPXD Service for Guest OS Customization.

Environment

VMware vCenter Server 8.0.x

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x

Resolution

Please follow any of the below methods to replace the Certificate

Replace using a Shell Script
Replace using Manual Steps (appliance)
Replace using Manual Steps (windows)

Scripted method to replace data-encipherment Certificate.

Download the attached fix_encipherment_cert.sh script from this article and upload to the /tmp folder on vCenter Server.
- If the connection to upload to the vCenter by the SCP client is rejected, run the command "chsh -s /bin/bash" to change the shell from an SSH session and retry.
- You may also create a file using vi command and copy paste the contents of the script (eg. vi /tmp/fix_encipherment_cert.sh)
Connect to the vCenter Server with an SSH session
Navigate to the /tmp directory:

cd /tmp

Run chmod +x fix_encipherment_cert.sh to make the file executable.
Run ./fix_encipherment_cert.sh
Stop VPXD, run the Windows Customization Key update, then start VPXD.

service-control --stop vpxd

/usr/sbin/vpxd -g

service-control --start vpxd

Sample result:

Manual Method to replace data-encipherment Certificate (appliance)

Take backup of old certificate and private key:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --output /tmp/old-data-encipherment.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output /tmp/old-data-encipherment.key

Delete the existing certificate from the VECS store:

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete -y --store data-encipherment --alias data-encipherment

List the VECS store and confirm the list is Empty:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment

Generate a new certificate using the existing private key, and add it to the VECS store

Note: --genCIScert switch in certool will automatically add the new certificate to the Certificate Store

/usr/lib/vmware-vmca/bin/certool --server=<PSC_FQDN> --genCIScert --dataencipherment --privkey=/tmp/old-data-encipherment.key --cert=/tmp/tmp-data-encipherment.crt --Name=data-encipherment --FQDN=<VC_FQDN>

Note:
<PSC_FQDN>
For vCenter Server 6.7 - Replace this value with the FQDN of Platform Service Controller if vCenter is running with External PSC OR use the FQDN of vCenter Server if it is embedded PSC.
For vCenter Server 7.0+ - Replace this value with the VC FQDN or with "localhost"

<VC_FQDN>
Replace this value with FQDN/PNID of vCenter Server

Verify the new certificate using below command

Stop VPXD, run the Windows Customization Key update, then start VPXD.

service-control --stop vpxd

/usr/sbin/vpxd -g

service-control --start vpxd

Manual Method to replace data-encipherment Certificate (windows)

Take backup of old certificate and private key:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store data-encipherment --alias data-encipherment --output c:\tmp\old-data-encipherment.crt

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output c:\tmp\old-data-encipherment.key

Delete the existing certificate from the VECS store:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry delete -y --store data-encipherment --alias data-encipherment

List the VECS store and confirm the list is Empty:

"%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store data-encipherment

Generate a new certificate using the existing private key, and add it to the VECS store

Note: --genCIScert switch in certool will automatically add the new certificate to the Certificate Store

"%VMWARE_CIS_HOME%"\vmcad\certool --server=<PSC_FQDN> --genCIScert --dataencipherment --privkey=c:\tmp\old-data-encipherment.key --cert=c:\tmp\tmp-data-encipherment.crt --Name=data-encipherment --FQDN=<VC_FQDN>

Note:
<PSC_FQDN>
For vCenter Server 6.7 - Replace this value with the FQDN of Platform Service Controller if vCenter is running with External PSC OR use the FQDN of vCenter Server if it is embedded PSC.
For vCenter Server 7.0+ - Replace this value with the VC FQDN or with "localhost"

<VC_FQDN>
Replace this value with FQDN/PNID of vCenter Server

Verify the new certificate using below command

Stop VPXD, run the Windows Customization Key update, then start VPXD.

cd C:\Program Files\VMware\vCenter Server\bin

service-control --stop vpxd

"C:\Program Files\VMware\Infrastructure\VirtualCenter Server\vpxd.exe" -g

service-control --start vpxd

Important Note:

The data-encipherment certificate is issued by VMCA root certificate. The validity term end date of new data-encipherment will be equal to the root certificate.
The data-encipherment certificate can be updated automatically during VC upgrade/update in below paths:

Upgrade from 6.7x to 70U3i (70P06) or above 70U3i (70P06) and below 7.0U3o (70P08)
Upgrade from 7.0x to 8.0GA or above 8.0GA and below 8.0U3

And in below upgrade/update paths, the certificate will be updated only when certificate is expired or will expire in one year to avoid extra time cost when certificate updating is unnecessary:

Upgrade from 7.0x to 8.0U3 or above 8.0U3
Update/patch from 7.0x to 7.0U3o (70P08) or above 7.0U3o (70P08)
Update/patch from 8.0x to 8.0U2 or above 8.0U2

Attachments

fix_encipherment_cert get_app