wagnerjer

This is an old revision of the document!

---

If ertificate of Vcenter is expired, services are not starting and you cannot access your VCenter

Connect to your Vcenter using SSH and verify status of certificates

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

Check all certificates and see if some are expired

If you have expired certificates, use the certificate manager utility to automatically renew your certificates

/usr/lib/vmware-vmca/bin/certificate-manager

Chose in the menu the option to renew required certificate

This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. | - administrator@vsphere.local password
- Configure the certool.cfg file at /usr/lib/vmware-vmca/share/config/certool.cfg (used by VMCA when generating certificates)
- Root Signing Cert
- Root Signing Key
Optional Information:
Do you wish to replace all Solution User certificates with custom CA?
YES: Paths to the custom Certificates and Keys for the Solution Users (vpxd, vpxd-extension, vsphere-webclient, machine).
Note: You can also perform this step later using Option 5.
NO: VMCA will generate new Certificates/Keys for Solution Users using the provided Custom CA Signing Certificate.
Note: You can also perform this step later using Option 6.
Do you wish to replace Machine SSL Certificate with custom CA?
YES: Path to a custom Certificate and Key for the Machine Certificate.
Note: You can also perform this step later using Option 1.
NO: VMCA will generate a new Certificate/Key for Machine using the provided Custom CA Signing Certificate.
Note: You can also perform this step later using Option 3. |