How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script
search cancel

How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script

book

Article ID: 322249

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains the usage of Python based script 'fixcerts_3_1.py' (attached at the bottom of this article) to replace the Certificates on vCenter Server Appliance.

This script will help to replace following Certificates on vCenter Server using the Certificates Signed by Default VMCA:

  • VMCA Root
  • MACHINE SSL
  • Secure Token Signing (STS)
  • Solution Users
  • LookupService or STS_INTERNAL_SSL_CERT (if exists)
  • data-encipherment
  • SMS
  • Remove Expired Certificates from TRUSTED_ROOTS store
  • Remove Non-CA Certificates from TRUSTED_ROOTS store
  • Update Thumbprint for VPXD Extensions (eam, rbd & imagebuilder)

Notes:

  1. ​​​​​​This script cannot be used to replace Custom Certificates on vCenter Server
  2. This script is not a replacement for Certificate Management UI or CLI on vCenter Server
  3. This script is not supported on Windows vCenter Server
  4. Offline snapshots of VCs/PSCs in same vSphere Domain, this is required for the VC rollback in case required especially if you are using Enhanced Linked Mode (ELM)
  5. You will also need your SSO Admin Password



Environment

VMware vCenter Server 8.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x

Resolution

Steps to execute the script on vCenter Server Appliance :

  1. Download the fixcerts_3_1.py script from the attachments section below
  2. Copy the script to vCenter Server Appliance using WinSCP or follow below steps to copy paste the script using Clipboard
  • Open the Script using a text editor (preferably Notepad++)
  • Copy the contents (Ctrl + C )
  • Connect to VCSA using SSH Client (Eg. Putty)
  • Change the Shell to Bash if it is in Appliance Shell
  • Create a new file using 'vi' command
  • Right Click and Paste the Contents copied from Step 3 (or use 'Shift + Insert' to paste)
  • Save and exit from VI editor (Esc key + :wq!)
  1. Execute any of below command
  • To replace Only Expired Certificates (python fixcerts_3_1.py replace --certType expired_only)
  • To replace All the Certificates (python fixcerts_3_1.py replace --certType all)
  1. Follow further instructions by providing the inputs to the script:
  • Enter the SSO Administrator Credentials
  • Validity of existing certificates will be displayed, read the instructions and enter 'Yes' or 'Y' to Continue
  • It will read the existing MACHINE SSL Certificate Fields (such as Country, Organization etc..), please enter 'Yes' or 'Y' to continue with the same fields. You may enter 'No' to Customize the fields:
  • It will proceed with replacement of all the Expired Certificates, please enter 'Yes' or 'Y' to restart the services post certificate replacement. You may enter 'No' or 'N' to restart the services manually using 'service-control' command :
  • It will display the execution status and validity of Certificates post replacement operation

Additional Information

Fixcerts script accepts some additional arguments for the default VMCA certificate replacement, following are some examples :

Replace ONLY EXPIRED Certificates

  • python fixcerts_3_1.py replace --certType expired_only
  • python fixcerts_3_1.py replace --certType expired_only --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType expired_only --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts_3_1.py replace --certType expired_only --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType expired_only --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts_3_1.py replace --certType expired_only --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace all the Certificates on vCenter Server

  • python fixcerts_3_1.py replace --certType all
  • python fixcerts_3_1.py replace --certType all --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType all --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts_3_1.py replace --certType all --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType all --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity. Please note, the VMCA Root Certificate will have the default 10 years validity and the default Key Size which cannot be Customized]
  • python fixcerts_3_1.py replace --certType all --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace VMCA Root Certificate and all other Certificates

  • python fixcerts_3_1.py replace --certType root
  • python fixcerts_3_1.py replace --certType root --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType root --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]


Replace MACHINE_SSL_CERT Certificate

  • python fixcerts_3_1.py replace --certType machinessl
  • python fixcerts_3_1.py replace --certType machinessl --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType machinessl --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts_3_1.py replace --certType machinessl --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType machinessl --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts_3_1.py replace --certType machinessl --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace STS (Signing Certificate) Certificate

  • python fixcerts_3_1.py replace --certType sts
  • python fixcerts_3_1.py replace --certType sts --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType sts --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType sts --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts_3_1.py replace --certType sts --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace Solution User Certificates

  • python fixcerts_3_1.py replace --certType solutionusers
  •  
  • python fixcerts_3_1.py replace --certType solutionusers --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType solutionusers --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType solutionusers --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts_3_1.py replace --certType solutionusers --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace data-encipherment Certificate

  • python fixcerts_3_1.py replace --certType data-encipherment
  • python fixcerts_3_1.py replace --certType data-encipherment --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType data-encipherment --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType data-encipherment --force_encipherment_replace True|False [by default script will replace the data-enciphement cert only if it is expired, use the force switch if you want to override]


Replace LookupService Certificate if a STS_INTERNAL_SSL_CERT store is available

  • python fixcerts_3_1.py replace --certType lookupservice
  • python fixcerts_3_1.py replace --certType lookupservice --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts_3_1.py replace --certType lookupservice --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts_3_1.py replace --certType lookupservice --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts_3_1.py replace --certType lookupservice --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts_3_1.py replace --certType lookupservice --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace expired Certificates from SMS store

  • python fixcerts_3_1.py replace --certType sms
  • python fixcerts_3_1.py replace --certType sms --serviceRestart True [To restart all the services automatically post certificate replacement]


Remove Non-CA Certificates from TRUSTED_ROOTS store, if any

  • python fixcerts_3_1.py remove --storeType trusted_roots --certType non-ca
  • python fixcerts_3_1.py remove --storeType trusted_roots --certType non-ca --serviceRestart True [To restart all the services automatically post certificate replacement]


Remove expired Certificates from TRUSTED_ROOTS store, if any

  • python fixcerts_3_1.py remove --storeType trusted_roots --certType expired
  • python fixcerts_3_1.py remove --storeType trusted_roots --certType expired --serviceRestart True [To restart all the services automatically post certificate replacement]


Update Thumbprint for VPXD Extensions (eam, rbd & imagebuilder)

  • python fixcerts_3_1.py update --ExtensionType all (to update thumbprint of all three extensions - eam, rbd & imagebuilder)
  • python fixcerts_3_1.py update --ExtensionType eam (to update thumbprint of only eam extension)
  • python fixcerts_3_1.py update --ExtensionType rbd (to update thumbprint of only rbd extension)
  • python fixcerts_3_1.py update --ExtensionType imagebuilder (to update thumbprint of only imagebuilder extension)

 


The link below provides additional interfaces for managing vCenter Server Certificates.

vSphere Certificate Management

 

In the event that you would like to use the vSphere Certificate Management to replace the certificates, use the link below.

Attachments

fixcerts_3_1.py get_app