Dear Tech Community,
I have two vCenter 6.5 servers running in linked mode and I noticed that the machine self-signed certificate and other related certificates are about to expire. I was wondering which vCenter server to renew first and is if there is there a procedure that I need to consider when running in lined mode.
In advance thank you
Bujar
Thank you for your post on VMware Communities.
As a pre-requisite, take a powered -off snapshots of both the vCenter Servers (and PSC VMs in case you have external).
Ensure that you have the login credential for the ESXi host which has the vCenter VMs (and PSC VMs in case you have external) .
If DRS is at Fully Automated, please change it to Manual so that the vCenter VMs (and PSC VMs in case you have external) do not migrate to another host.
If the vCenter Servers are on a Physical Machine then please take a complete Windows & DB back up to be on the safer side.
To generate 6.X certificates using self-signed VMCA please refer to the VMware KB:
https://kb.vmware.com/s/article/2112283?lang=en_US
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"
Dear Arun,
Thank you for the article, one more question, I noticed that PNID and hostname do not match as per article these two should match. I also noticed that the existing SSL certificate has the Common Name as IP address listed. What value should I give when prompted for FQDN and Hostname?
Thank you
B.L
Thank you for your post on VMware Communities.
As a pre-requisite, take a powered -off snapshots of both the vCenter Servers (and PSC VMs in case you have external).
Ensure that you have the login credential for the ESXi host which has the vCenter VMs (and PSC VMs in case you have external) .
If DRS is at Fully Automated, please change it to Manual so that the vCenter VMs (and PSC VMs in case you have external) do not migrate to another host.
If the vCenter Servers are on a Physical Machine then please take a complete Windows & DB back up to be on the safer side.
To generate 6.X certificates using self-signed VMCA please refer to the VMware KB:
https://kb.vmware.com/s/article/2112283?lang=en_US
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"
Dear Arun,
Thank you for detailed description.
One more question can I renew my vCenter self-singed certificate from GUI interface as well, I can see an option to renew all. In addition if I'm in lined mode it dose it matter which vCenter I renew first?
Thank you
Bujar
Renewing the certificates from CLI through Certificate Manager should take care of renewal and it should suffice.
Once you have the proper backups and / or snapshots, it does not matter which one you renew first.
Arun Kumar
Install Upgrade Specialist
"Did you find this helpful? Let us know by completing this survey (takes 1 minute!)"
Dear Arun,
Thank you for the article, one more question, I noticed that PNID and hostname do not match as per article these two should match. I also noticed that the existing SSL certificate has the Common Name as IP address listed. What value should I give when prompted for FQDN and Hostname?
Thank you
B.L
As the PNID is IP ; use IP as FQDN . You can actually add both IP and FQDN separated by comma