How to renew certificate for existing KMS setup

NOTE: KMS server root certificate (which per procedure should have been uploaded and trusted for vCenter to trust KMS) has long validity period and should never require an update. If for some reason vCenter server no longer trusts KMS server, ensure that trust is re-established using KMS root certificate only.

Here is my runlist:

  1. Login to Vault Enterprise and navigate to Secret → KMIP → vmware
  2. Click on a desired kmip client/role
  3. Generate new credentials -> see How to connect vCenter to external KMS prerequisite section
  4. Once new credentials/certificates are generated, navigate to vCenter server’s configuration → Security category → Key providers.
  5. Select KMS instance used by vCenter.
  6. Select Establish Trust → Make KMS Trust vCenter.
  7. Select option to use KMS certificate and private key.
  8. Paste KMS public certificate extracted in prerequisites steps and KMS private key (reference: How to connect vCenter to external KMS prerequisite section)
  1. Select Establish Trust
  2. Ensure that two way trust is established. All certificates shows valid status and that the general status is healthy.

Please leave the comment