VMware Cloud Community
muhammadafif198
Contributor
Contributor
‎02-07-2023 11:52 PM
Jump to solution

step by step to renewal certificate VCenter HA

Dear All,

I have VCSA 7 with HA,  right now our ssl certificate expired, if we want to renew our ssl certificate. do i have to do both (active and pasive) or only active . please guide me step by step to do it

0 Kudos
1 Solution

Accepted Solutions
Ajay1988
Expert
Expert
‎02-20-2023 05:43 PM
Jump to solution

Please check this as you are making to too complicated .  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-CDC20BD4-E0CE-45D9-B... 

Destroy the VCHA configuration.
destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Replace certs.
Recreate the VCHA.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

0 Kudos
11 Replies
maksym007
Expert
Expert
‎02-09-2023 01:49 AM
Jump to solution

you need to do both - as their FQDN's are different 

Tags (1)
0 Kudos
TTT196
Contributor
Contributor
‎02-09-2023 03:17 PM
Jump to solution

My vCenter cert is going to expire soon. I also preparing on this. I actually have the new certificate (from our internal CA) ready. But before the action, I checked online that if we renew the cert failed, then we must access through SSH to the vCenter. Then I get prepared to the SSH and try to play around the CLI (/usr/lib/vmware-vmca/bin/certificate-manager) on the vCenter. Then I noticed that it says the tool is not supporting under HA. So I removed this HA configuration inside the vCenter, and then try again to access the cert manager, it works.  May be it can help you on your answer.

It validates the document I saw from the product document

The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.

If possible, replace certificates in the vCenter Server that will become the Active node before you clone the node.

 
0 Kudos
muhammadafif198
Contributor
Contributor
‎02-09-2023 05:29 PM
Jump to solution

Hi, 

thank for yoir information, for ssl we use self sign certificates. How about renew certificates using certificate management and restart Vsphere services. is this possible...

thank you

0 Kudos
Ajay1988
Expert
Expert
‎02-14-2023 08:15 AM
Jump to solution

Remove/destroy vCHA . Replace/Renew certs and then redo vCHA.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
muhammadafif198
Contributor
Contributor
‎02-14-2023 05:05 PM
Jump to solution

Hi Ajsy

Ok let me try this solution.

regards

0 Kudos
wenoi6
Contributor
Contributor
‎02-15-2023 03:29 AM
Jump to solution

To renew the SSL certificate on a vCenter Server Appliance (VCSA) 7 with High Availability (HA), you will need to renew the certificate on both the Active and Passive nodes.

steps to renew the SSL certificate on both the Active and Passive nodes of a VCSA 7 HA deployment:

1. Log in to the vSphere Client and navigate to the vCenter Server Appliance.

2. Click on the "Configure" tab and select "Certificate Management."

3. Click on the "Replace SSL Certificate" option.

4. Follow the wizard to generate a new Certificate Signing Request (CSR). You will need to provide information such as the organization name, common name, and email address.

5. Submit the CSR to a Certificate Authority (CA) to obtain a new SSL certificate.

6. Once you have obtained the new SSL certificate, click on the "Import" button and browse to the certificate file.

7.Click "Replace certificate" and follow the wizard to complete the certificate installation.

8. After the certificate has been updated on the Active node, log in to the Passive node and repeat steps 1-7

Please not the cluster will only sync when the cert on both nodes are up to date

 

0 Kudos
muhammadafif198
Contributor
Contributor
‎02-15-2023 05:39 PM
Jump to solution

Hi wenoi6

I Can't Find "configure -> certificate management" if i not mistake certificate management under administration menu.

regards

0 Kudos
wenoi6
Contributor
Contributor
‎02-20-2023 07:41 AM
Jump to solution

You are correct. 

2. Click on the "Administration" menu in the upper left corner and select "Certificates" and then "Certificate Management".

3.  Click on the "Replace SSL Certificate" option. under the action menu of thje particular certificate.

 

0 Kudos
maksym007
Expert
Expert
‎02-20-2023 01:11 PM
Jump to solution

It is worth to mention that all these steps you should do with administrator@vsphere.local credentials 

0 Kudos
Ajay1988
Expert
Expert
‎02-20-2023 05:43 PM
Jump to solution

Please check this as you are making to too complicated .  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-CDC20BD4-E0CE-45D9-B... 

Destroy the VCHA configuration.
destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Replace certs.
Recreate the VCHA.

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
muhammadafif198
Contributor
Contributor
‎02-21-2023 06:28 PM
Jump to solution

Hi Ajay

thank for sharing, last week i have renewal certificate VCHA based your recomendation. and work 

 

Tags (1)