Hello everyone,
We have replaced the __MACHINE certificate with one created with our local CA some time ago. Since the __MACHINE cert is made with our issuing CA, I have imported the root CA and issuing CA as trusted root certificates. Unfortunately the certificate for our issuing CA has recently expired. The __MACHINE cert has been replaced after a renewal of the issuing certificate.
The expired issuing certificate is still listed in the Certificate Management page in VAMI. I have tried to replace the issuing certificate, but that option is not available in VCSA, only "View". Adding the new issuing certificate results in an error message stating that the certificate is already registered.
lsdoctor finds no problems.
I'm starting to suspect that I need to recreate all certificates on the vcenter server with the Certificate Manager Utility.
I can live with getting the SSL warning when connecting to VCSA/VAMI so that is no real concern, but witch option in the tool is the correct one?
They seem to be a bit overlapping.
What will happen to the connected ESXi hosts during this ordeal? Will they stay connected or do I have to reconnect them?
Hope someone can shed some light on this problem.
Regards
Hi,
You have to recreate all certificates with option n°8 ( 8- Reset All Certificates.).
What will happen to the connected ESXi hosts during this ordeal? nothing will happen.
they stay connected or do I have to reconnect them? they stay connected.
I hope the STS certificate hasn't expired either because it's another procedure.
Don't worry, I've done this many times, nothing happens to Esxi hosts and configuration.
regards,
Alex_Romeo
Hi,
You have to recreate all certificates with option n°8 ( 8- Reset All Certificates.).
What will happen to the connected ESXi hosts during this ordeal? nothing will happen.
they stay connected or do I have to reconnect them? they stay connected.
I hope the STS certificate hasn't expired either because it's another procedure.
Don't worry, I've done this many times, nothing happens to Esxi hosts and configuration.
regards,
Alex_Romeo
Hi,
Shortly after I posted this question a vmware support replied they wanted to schedule a zoom meeting yesterday.
She first tried to recreate all certificates (option 8 ) but this failed since the STS cert apparently had some problems We then recreated the STS certificate with the fixsts.sh (https://kb.vmware.com/s/article/76719). Then we ran the certificate tool again with option 8 and it completed. (https://kb.vmware.com/s/article/2097936?lang=en_US)
The backups are running again and I can log into management console. And DRS is also configurable again.
The expired issuing ca cert is still in the certificate store, so I cannot replace the __MACHINE SSL cert with one from our CA before it is cleared out. But this is a minor nuisance compared the the problems I had.
Regards,
Helge