If you have not upgraded yet to vSphere 7 and your vCenter certificate is about to expire or already expired, here is an runlist how to renew certificate for vCenter:
- SSH to vCenter with root user and root password
- Run tool to prepare CSR file. Tool is located:
/usr/lib/vmware-vmca/bin/certificate-manager
- Chose option 1 and press ENTER
- Enter username [Administrator@vsphere.local]: PRESS ENTER (unless you are using different account)
- Provide a password for administrator@vsphere.local and press enter
- Go for option 1 to Generate CSR and Key for Machine SSL Certificate
- Fill out required fields:
- Path
- Country
- Organization
- OrgUnit
- State
- Locality
- IP address
- Hostname
- VMCA
- Exit the tool by typing number 2 and hit ENTER
- Type in
ls -la
to see if CSR and KEY file has been generated:
-rw-r--r-- 1 root root 1252 Oct 5 16:28 vmca_issued_csr.csr
-rw-r--r-- 1 root root 1703 Oct 5 16:28 vmca_issued_key.key
- Open
vmca_issued_csr.csr
in your favorite editor (vi, nano) - Copy whole text including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–
- Paste it to notepad or notepad++
- Save as file_name.csr
- Run command to generate CERTIFICATE:
certreq -submit -attrib "CertificateTemplate:name_of_template"
- Chose CRS file once prompted and hit ENTER
- Chose the CA once prompted and hit ENTER
- Save your cert file.
- Right-click on the cert to edit it.
- Copy entire text including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–
- Go back to SSH session.
- Create new file named file_name.cer
- Paste text to new created file
- Type ls -la , you should have 3 files now: vmca_issued_csr.csr vmca_issued_key.key file_name.cer
- Go back to the Windows folder where your certificate was saved. You need to grab the whole certification path
- Check How to export certificate
- Once you have all certs, open them with notepad or another editing tool
- Go back to the SSH session and create a signing certificate for example root.cer
- Copy all text from certs to that file in order!
- Save the file.
- Run Cert Tool again:
/usr/lib/vmware-vmca/bin/certificate-manager
- Select option number 1
- Enter username : administrator@vsphere.local
- Enter password
- Select option number 2: Import custom certificate(s) and key(s) to replace existing Machines SSL certificate
- Please provide valid custom certificate for Machine SSL (certificate generated from CSR)
- Please provide valid custom key for Machine SSL.
- Please provide the signing certificate of the Machine SSL certificate (root certificate with chain)
- You are going to replace Machine SSL cert using custom cert SELECT “Y“
NOTE: ONCE CERTIFICATES ARE RENEWED YOU NEED TO REFRESH CONNECTION FOR VROPS, NSX, SRM, vRNi, vRA
Please like and share to spread the knowledge in the community.
Let’s chat on Twitter: https://twitter.com/AngrySysOps
Visit my FB page: https://www.facebook.com/AngrySysOps
Subscribe to my YouTube channel: https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A