You can replace all VMCA-signed certificates with new VMCA-signed certificates. This process is called renewing certificates. You can renew selected certificates or all certificates in your environment from the vSphere Client.
For certificate management, you have to supply the password of the administrator of the local domain ([email protected] by default). If you are renewing certificates for a vCenter Server system, you also have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server system.
Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
Specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
If you specified a different domain during installation, log in as administrator@ mydomain.
Navigate to the Certificate Management UI.
From the Home menu, select Administration.
Under Certificates, click Certificate Management.
Enter the credentials of your vCenter Server.
Renew the machine SSL certificate for the local system.
Select Machine SSL Certificate.
Click Actions > Renew.
Click Renew.
A message appears that the certificate is renewed.
(Optional) Renew the Solution User certificates for the local system.
Under Solution Certificates, select a certificate.
Click Actions > Renew to renew individual selected certificates, or click Renew All to renew all solution user certificates.
A message appears that the certificate is renewed.
If your environment includes an external Platform Services Controller, you can then renew the certificates for each vCenter Server system.
Click the Logout button in the Certificate Management panel.
When prompted, specify the IP address or FQDN of the vCenter Server system and user name and password of a vCenter Server administrator who can authenticate to vCenter Single Sign-On.
Renew the machine SSL certificate on the vCenter Server and, optionally, each solution user certificate.
If you have multiple vCenter Server systems in your environment, repeat the process for each system.
What to do next
Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line.
The vSphere Certificate Manager stores a certificate-manager. log file in these locations: Windows vCenter Server 6. x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.
Expired ESXi host certificate(s) in a vSAN cluster can have negative impacts to vSAN functionality such as: incomplete unicast agent list on hosts resulting in unhealthy/inaccessible objects.
ESXi certificates are stored locally on each host in the /etc/vmware/ssl directory. ESXi certificates are provisioned by VMCA by default, but you can use custom certificates instead.
The internal certificate authority called the VMware Certificate Authority (VMCA). Its role is to provide the certificates necessary for vCenter Server and ESXi.
Log in with the vSphere Client to the vCenter Server. Navigate to Administration > Certificates > Certificate Management.Browse and select the location of the Entrust Root and Intermediate certificates. The certificate is added in a panel under Trusted Root Certificates.
Log in to vCenter and go to Menu > Administration > Certificates > Certificate Management. Under Machine SSL Certificate, click Actions > Generate Certificate Signing Request (CSR). Enter the settings to generate a CSR. Leave Common name and host as default.
Hover over icon in the server certificate on the topology and click Regenerate option. Depending on the type of certificate you are regenerating, Regenerate screen might appear. Make changes if required and click Regenerate button. The certificate is regenerated and the topology screen opens.
Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.