Hello,
I have a Windows vCenter 6.0, which STS Signing Certificate will be expired soon, what is the right procedure to renew the certification?
I have found some articles for this topic, but all of them are for vCenter 6.5 or vCenter 6.7, not for 6.0。
Thank you for your help !
BTW, i got some errors when running the checksts.py script.
Hello dongjh,
First you need to create the certificate from the Windows vCenter using the certool utility. The procedure is quite straight forward: Generate a New STS Signing Certificate on a vCenter Windows Installation
After you do that you will need to refresh the certificate: Refresh the Security Token Service Certificate
Remember:
Let us know how it goes.
Hi Lalegre,
Thank you for your quick reply, but i still encountered an error when recreating the certificate, do you know what is the problem?
That issue is related that the Config File from the OpenSSL is missing on that path. What could happen is that the file is missing or is not in that path. I recommend you to cd to that path and search for it. Also run the command from inside the directory.
Moderator: Thread moved to the vCenter Server area.
If your vSphere environment is running anything like production workloads you should consider upgrading to at least 6.5, since VMware no longer provide support or updates for 6.0
Hi,
I have created the new certificate and added it to vCenter configuration, unfortunately, after reboot the STS certificate expiration warning still be there. How can i take it effect?
Have you restarted the PSC and the vSphere Web Client?
Yes, the PSC and Web Client are installed in one VM, i have rebooted the whole VM.
Hey,
Looking here you will see some useful commands to list your current certificates and delete the unnecessary one from the Java Key Store using the keytool.exe tool: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Focus on the keytool -list and keytool -delete commands.
Remember take an snapshot first.
Hello,
What is the path and name of the keystore file?
I even could not remove any of these two certificate chains now.
Hey the path is here: C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe
Is the one mentioned on one of the first article. Try to delete it using the tool
Could not find the keystone.js file.
Hey,
Try to run the next: keytool.exe -list -v -keystore root-trust.jks
C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\newsts>"C:\Program Files\VMware
\vCenter Server\jre\bin\keytool.exe" -list -v -keystore root-trust.jks
输入密钥库口令:
密钥库类型: JKS
密钥库提供方: SUN
您的密钥库包含 2 个条目
别名: root-ca
创建日期: 2020-9-14
条目类型: trustedCertEntry
所有者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN
=CA
发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN
=CA
序列号: f885f49bec9a18e8
有效期为 Sun Sep 23 09:34:42 CST 2018 至 Wed Sep 20 09:34:42 CST 2028
证书指纹:
MD5: 9E:9E:7C:AF:70:7F:DC:02:C3:AE:E0:40:2C:80:DE:FD
SHA1: A7:27:C0:F8:9C:E6:A6:C0:25:DA:7F:E4:D8:0C:14:38:C7:0E:1A:A7
SHA256: 38:9D:83:6B:51:10:44:43:71:70:3A:C6:B8:9A:BC:B0:32:66:55:6C:3D:
E4:C2:61:6C:FD:FF:40:45:AF:E2:AA
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
扩展:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: email@acme.com
IPAddress: 127.0.0.1
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 FF 79 34 6C A8 33 D7 F0 8D B0 EE 9C 7D E9 23 ..y4l.3........#
0010: 9E A0 A7 96 ....
]
]
*******************************************
*******************************************
别名: newstssigning
创建日期: 2020-9-14
条目类型: PrivateKeyEntry
证书链长度: 2
证书[1]:
所有者: OU=VMware, O=VMware, L=Palo Alto, ST=California, C=US, CN=CA
发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN
=CA
序列号: df6477ab15b7445d
有效期为 Mon Sep 14 14:41:13 CST 2020 至 Wed Sep 14 14:41:13 CST 2022
证书指纹:
MD5: 2F:E3:3F:98:DA:64:4F:28:1F:85:EB:5A:83:C9:5B:66
SHA1: 78:AB:83:21:3D:3E:F0:6A:DF:C9:CC:4E:32:B3:9B:7F:FC:2C:E8:74
SHA256: E7:EB:28:4C:AC:7E:9B:94:03:89:08:72:3C:46:D4:82:FB:C8:B0:4F:BC:
AB:3B:B5:6B:65:B2:7E:C7:26:DB:28
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
扩展:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 FF 79 34 6C A8 33 D7 F0 8D B0 EE 9C 7D E9 23 ..y4l.3........#
0010: 9E A0 A7 96 ....
]
]
#2: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: dongjh@ahope.com.cn
IPAddress: 10.44.221.29
DNSName: scxt-vCenter
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EC FC 60 86 DF 98 B2 15 D3 56 7A 7F BF 23 B4 25 ..`......Vz..#.%
0010: 7D E8 3C 89 ..<.
]
]
证书[2]:
所有者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN
=CA
发布者: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN
=CA
序列号: f885f49bec9a18e8
有效期为 Sun Sep 23 09:34:42 CST 2018 至 Wed Sep 20 09:34:42 CST 2028
证书指纹:
MD5: 9E:9E:7C:AF:70:7F:DC:02:C3:AE:E0:40:2C:80:DE:FD
SHA1: A7:27:C0:F8:9C:E6:A6:C0:25:DA:7F:E4:D8:0C:14:38:C7:0E:1A:A7
SHA256: 38:9D:83:6B:51:10:44:43:71:70:3A:C6:B8:9A:BC:B0:32:66:55:6C:3D:
E4:C2:61:6C:FD:FF:40:45:AF:E2:AA
签名算法名称: SHA256withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
扩展:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: email@acme.com
IPAddress: 127.0.0.1
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 FF 79 34 6C A8 33 D7 F0 8D B0 EE 9C 7D E9 23 ..y4l.3........#
0010: 9E A0 A7 96 ....
]
]
*******************************************
*******************************************
Hey,
Reading a little bit more i found this:
Thank you for your great help !
But the certificate expiring warning is still there, can i ignore it ?
It seems the new certificate is used.
Trusted path found: <OU=scxt,O=hzliqun,L=Palo Alto,ST=Zhejiang,C=US,CN=STS>
[2020-09-15T17:00:01.975+08:00 pool-2-thread-3 opId=bfffae9d-5700-4ee6-a1d7-54f0c6ca1e40 DEBUG com.vmware.identity.token.impl.SamlTokenImpl] SAML token signature is valid status: true
Yep as it says it stil can be there and as you also found it is already using the new STS certificate automatically.
Glad it help! It was a long troubleshoot :smileygrin:
The same problem , from zhejiang china , att email yun2280@foxmail.com , thanks!