Hope you like it..

How to renew vSphere 6.5 & 6.7 certificates.

July 13, 2021 at 3:38 pm Leave a comment

When the VCenter Certificate is expired , you will be blocked from logging in to the VCenter . However , the Appliance Management will continue to work. Be noted that there a 2 categories of certificates.

• VMware Security Token Service (STS)
• Solution , Machine , Root and Other certificates.

Import Notes:

1. You could avoid all these messy steps , had you monitor and check for the
   warnings on the VCenter Administration page for Certificate expiry events.
2. For Windows based VCenter , you can refer the same KB’s mentioned here for the detailed steps.
3. You may face an error when uploading the scripts to the VCSA via WinSCP . The Solution is provided in the same KB’s.
4. Certificate Manager may fail during the process , you could refer the https://mueller-tech.com/2019/06/28/replacing-expired-certificates/ for the solution.

I used the below mentioned steps to confirm the expiry date for both of these certificates

STS – Please refer the KB:
https://kb.vmware.com/s/article/79248 (It will require to download a script – checksts.py)

Others – Run the below command in the VCSA.
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $i –text | egrep “Alias|Not After”; done

In my situation , both of the certificate types were expired and I had to replace all of them. To replace the STS certifcate , you could utilize a script provided by VMWare (fixsts.sh) using the KB : https://kb.vmware.com/s/article/76719

Once it is done , you need to restart the VCenter services using the below commands.

service-control –stop –all

service-control –start –all

service-control –status.

Thereafter , you could proceed to replace the other certificates using the VSphere Certificate Manager https://kb.vmware.com/s/article/2112283

Entry filed under: VMware. Tags: CertificateStatusAlarm, Signing certificate is not valid, sts, vcsa, VMCA.