VMware Cloud Community
shankarsingh
Enthusiast
Enthusiast
‎01-08-2021 10:48 AM

Re-new vCenter solution users certificates


Hello ,

Wish you all Happy and healthy  New Year .

I m looking some assistance to re-new vCenter solution users certificates .As We have 4 PSC Servers in same SSO domain and 4 vCenters, each connecting to own psc. We have external PSC system.

Now we seen two of solution user certificates(Machine and vsphere-webclinet)  are going to expire .So I would like to re-new these certificate, so need some guidelines/suggestion

Is there any order/sequence to follow to re-new certificate

All PSC First then 1 vCenter at a time?
One PSC And it’s vCenter and then move to next pair?


Below are KBs from VMware to re-new certificates

https://kb.vmware.com/s/article/2112283


As above KB  is via CLI, However I found below blogs to re-new certificate via GUI

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-886C7657-3C2D-4AAC-8525-D5700C... (Step5)

https://thecloudxpert.net/2017/03/howto-replace-a-vmca-certificate-via-the-gui-in-vsphere-6-5-with-p...

So is it fine to follow via GUI to re-new certificate and works fine  ? or CLI is recommended and safe method to re-new certificate ?

Thanks in advance

 

Labels (1)
Labels
0 Kudos
4 Replies
Ajay1988
Expert
Expert
‎01-09-2021 08:26 AM

Better to replace all certs so that then have same expiry date.

All PSC certs   first  (one at a time)>> Start with STS certs and then   all other certs .

1. STS expiry check on PSC>>https://kb.vmware.com/s/article/79248

2. STS replace on PSC>>  https://kb.vmware.com/s/article/76719

3. All other certs replace  on PSC >> use  option 8 >>   https://kb.vmware.com/s/article/2112283

4. Then replace all certs on VC ; one at a time >>   Option 8 -https://kb.vmware.com/s/article/2112283

 

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
shankarsingh
Enthusiast
Enthusiast
‎01-11-2021 12:30 AM

Thanks  Ajay for response 

Do we need to re-new all certificates ? even few are not expired ?

Can’t we re-new only expired certificate ? such as solution user certificate .

Please can suggest if we can re-new only expired certificate via GUI and is it safe method and works ? should I use CLI and re-new certificate using Option 6 ? rather 8

Thanks

0 Kudos
bryanvaneeden
Hot Shot
Hot Shot
‎01-11-2021 02:13 AM

In my version of vCenter Server 6.7 U3+ I've had multiple issues with replacing the SSL Certs through the UI. This procedure wouldn't update all internal solution certs in the end (Which I only found out way later). I would suggest using the CLI procedure to replace the certs.

Visit my blog at https://vcloudvision.com!
0 Kudos
Ajay1988
Expert
Expert
‎01-11-2021 04:54 PM

  1. Do we need to re-new all certificates ? even few are not expired ?    Not mandate . The reason why  I asked to replace  all certs is to   have them  expire on same dates. 
  2. Can’t we re-new only expired certificate ? such as solution user certificate .    You can
  3. Please can suggest if we can re-new only expired certificate via GUI and is it safe method and works ? should I use CLI and re-new certificate using Option 6 ? rather 8      As said above better to replace all certs using option 8  via CLI .
If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos