Dear All,
I have VCSA 7 with HA, right now our ssl certificate expired, if we want to renew our ssl certificate. do i have to do both (active and pasive) or only active . please guide me step by step to do it
Please check this as you are making to too complicated . https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-CDC20BD4-E0CE-45D9-B...
Destroy the VCHA configuration.
destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Replace certs.
Recreate the VCHA.
you need to do both - as their FQDN's are different
My vCenter cert is going to expire soon. I also preparing on this. I actually have the new certificate (from our internal CA) ready. But before the action, I checked online that if we renew the cert failed, then we must access through SSH to the vCenter. Then I get prepared to the SSH and try to play around the CLI (/usr/lib/vmware-vmca/bin/certificate-manager) on the vCenter. Then I noticed that it says the tool is not supporting under HA. So I removed this HA configuration inside the vCenter, and then try again to access the cert manager, it works. May be it can help you on your answer.
It validates the document I saw from the product document
The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.
If possible, replace certificates in the vCenter Server that will become the Active node before you clone the node.
Hi,
thank for yoir information, for ssl we use self sign certificates. How about renew certificates using certificate management and restart Vsphere services. is this possible...
thank you
Remove/destroy vCHA . Replace/Renew certs and then redo vCHA.
Hi Ajsy
Ok let me try this solution.
regards
To renew the SSL certificate on a vCenter Server Appliance (VCSA) 7 with High Availability (HA), you will need to renew the certificate on both the Active and Passive nodes.
steps to renew the SSL certificate on both the Active and Passive nodes of a VCSA 7 HA deployment:
1. Log in to the vSphere Client and navigate to the vCenter Server Appliance.
2. Click on the "Configure" tab and select "Certificate Management."
3. Click on the "Replace SSL Certificate" option.
4. Follow the wizard to generate a new Certificate Signing Request (CSR). You will need to provide information such as the organization name, common name, and email address.
5. Submit the CSR to a Certificate Authority (CA) to obtain a new SSL certificate.
6. Once you have obtained the new SSL certificate, click on the "Import" button and browse to the certificate file.
7.Click "Replace certificate" and follow the wizard to complete the certificate installation.
8. After the certificate has been updated on the Active node, log in to the Passive node and repeat steps 1-7
Please not the cluster will only sync when the cert on both nodes are up to date
Hi wenoi6
I Can't Find "configure -> certificate management" if i not mistake certificate management under administration menu.
regards
You are correct.
2. Click on the "Administration" menu in the upper left corner and select "Certificates" and then "Certificate Management".
3. Click on the "Replace SSL Certificate" option. under the action menu of thje particular certificate.
It is worth to mention that all these steps you should do with administrator@vsphere.local credentials
Please check this as you are making to too complicated . https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-CDC20BD4-E0CE-45D9-B...
Destroy the VCHA configuration.
destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Replace certs.
Recreate the VCHA.
Hi Ajay
thank for sharing, last week i have renewal certificate VCHA based your recomendation. and work