VMware Cloud Community
blushta
Contributor
Contributor
‎03-13-2021 02:35 AM
Jump to solution

vCenter 6.5 Appliance Self-Signed Cert Expiration

Dear Tech Community,

I have two vCenter 6.5 servers running in linked mode and I noticed that the machine self-signed certificate and other related certificates are about to expire. I was wondering which vCenter server to renew first and is if there is there a procedure that I need to consider when running in lined mode.

In advance thank you

Bujar

Reply
0 Kudos
2 Solutions

Accepted Solutions
VMAKS
VMware Employee
VMware Employee
‎03-13-2021 11:25 PM
Jump to solution

@blushta

 

Thank you for your post on VMware Communities.

 

As a pre-requisite, take a powered -off snapshots of both the vCenter Servers (and PSC VMs in case you have external).
Ensure that you have the login credential for the ESXi host which has the vCenter VMs (and PSC VMs in case you have external) .
If DRS is at Fully Automated, please change it to Manual so that the vCenter VMs (and PSC VMs in case you have external) do not migrate to another host.


If the vCenter Servers are on a Physical Machine then please take a complete Windows & DB back up to be on the safer side.

 

To generate 6.X certificates using self-signed VMCA please refer to the VMware KB:
https://kb.vmware.com/s/article/2112283?lang=en_US

 

Arun Kumar

Install Upgrade Specialist

"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"

Regards,
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)

View solution in original post

Reply
0 Kudos
blushta
Contributor
Contributor
‎03-20-2021 10:55 AM
Jump to solution

Dear Arun,

Thank you for the article, one more question, I noticed that PNID and hostname do not match as per article these two should match. I also noticed that the existing SSL certificate has the Common Name as IP address listed. What value should I give when prompted for FQDN and Hostname?

blushta_0-1616262780635.png

Thank you

B.L

 

View solution in original post

Reply
0 Kudos
5 Replies
VMAKS
VMware Employee
VMware Employee
‎03-13-2021 11:25 PM
Jump to solution

@blushta

 

Thank you for your post on VMware Communities.

 

As a pre-requisite, take a powered -off snapshots of both the vCenter Servers (and PSC VMs in case you have external).
Ensure that you have the login credential for the ESXi host which has the vCenter VMs (and PSC VMs in case you have external) .
If DRS is at Fully Automated, please change it to Manual so that the vCenter VMs (and PSC VMs in case you have external) do not migrate to another host.


If the vCenter Servers are on a Physical Machine then please take a complete Windows & DB back up to be on the safer side.

 

To generate 6.X certificates using self-signed VMCA please refer to the VMware KB:
https://kb.vmware.com/s/article/2112283?lang=en_US

 

Arun Kumar

Install Upgrade Specialist

"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"

Regards,
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)
Reply
0 Kudos
blushta
Contributor
Contributor
‎03-14-2021 06:35 AM
Jump to solution

Dear Arun,

Thank you for detailed description.

One more question can I renew my vCenter self-singed certificate from GUI interface as well, I can see an option to renew all. In addition if I'm in lined mode it dose it matter which vCenter I renew first?

Thank you

Bujar 

Reply
0 Kudos
VMAKS
VMware Employee
VMware Employee
‎03-16-2021 09:35 AM
Jump to solution

@blushta

Renewing the certificates from CLI through Certificate Manager should take care of renewal and it should suffice.
Once you have the proper backups and / or snapshots, it does not matter which one you renew first.

 

Arun Kumar

Install Upgrade Specialist

"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"

Regards,
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)
Reply
0 Kudos
blushta
Contributor
Contributor
‎03-20-2021 10:55 AM
Jump to solution

Dear Arun,

Thank you for the article, one more question, I noticed that PNID and hostname do not match as per article these two should match. I also noticed that the existing SSL certificate has the Common Name as IP address listed. What value should I give when prompted for FQDN and Hostname?

blushta_0-1616262780635.png

Thank you

B.L

 

Reply
0 Kudos
Ajay1988
Expert
Expert
‎03-22-2021 12:52 AM
Jump to solution

As the PNID is IP ; use IP as FQDN . You can actually add both  IP and FQDN separated by comma

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos