MenSch404
Contributor
Contributor

Which endpoint uses the data-encipherment from the data-encipherment store certificate?

Hi,

I have a little question: vCenter 6.7 has a Certificate Status Alarm and the only certificate that is expired is this one:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --text

Subject: CN=data-encipherment, DC=vsphere, DC=local, C=US, OU=mID-ade53470-0163-4922-9447-0e76fb171fcf

Which endpoint uses this certificate?

Is it save to delete it?

In https://kb.vmware.com/s/article/2111411 it is only mentioned that it can exist in some builds, But not the use of it..

Kind regards,

Menno

0 Kudos
3 Replies
pasalott
Enthusiast
Enthusiast

I'm having the same issue.  Ours is expiring on 5/27/21 and is triggering the Certificate Status alarm on our linked vCenter servers.  I'm not finding much online regarding this certificate, nothing about how to renew the certificate or if it's even needed.  Does anyone here have any more information regarding this cert?

data-encipherment.jpg

0 Kudos
MenSch404
Contributor
Contributor

I  asked VMware support by opening a support request. And there answer is below:

This store holds no function on the vcenter now. You can simply remove or renew it will the follow steps

Note: Please take a snapshot of the vCenter before you perform this action.

1. Delete the data-encipherment entry from vecs-store
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store data-encipherment --alias data-encipherment

2. Create private and public key pairs
/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --pubkey=/etc/vmware-vpx/ssl/data-encipherment.pub

3. Create certfile for data encipherment: (Replace FQDN with your machine Fully Qualified Domain Name)
/usr/lib/vmware-vmca/bin/certool --server=FQDN --genCIScert --dataencipherment --privkey=/etc/vmware-vpx/ssl/data-encipherment.key --cert=/etc/vmware-vpx/ssl/data-encipherment.crt --Name=data-encipherment --FQDN=FQDN

4. Verify if new cert is located in VECS store with :
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store data-encipherment --text | less

5. Restart all services.

Note: If the cert is not located in the data-encipherment VECS store, create the vecs-store entry as below :
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store data-encipherment --alias data-encipherment --server localhost --upn administrator@vsphere.local --cert /etc/vmware-vpx/ssl/data-encipherment.crt --key /etc/vmware-vpx/ssl/data-encipherment.key

pasalott
Enthusiast
Enthusiast

Thanks.  We were able to renew the cert today.

Tags (1)
0 Kudos