VMware Cloud Community
dongjh
Contributor
Contributor

STS Signing Certificate is expiring on Windows vCenter 6.0

Hello,

I have a Windows vCenter 6.0, which STS Signing Certificate will be expired soon, what is the right procedure to renew the certification?

I have found some articles for this topic, but all of them are for vCenter 6.5 or vCenter 6.7, not for 6.0。

Thank you for your help !

a.png

BTW, i got some errors when running the checksts.py script.

无标题.png

33 Replies
jodoll
Contributor
Contributor

My problem is  import root-trust-jks success,but serivce-control --start --all  is fail, Please tell me the operation step 1. 2 .3 ... thanks

Reply
0 Kudos
jodoll
Contributor
Contributor

My  vm is  vcsa 6.0,

Reply
0 Kudos
dongjh
Contributor
Contributor

Unfortunately, after importing the new STS certificate, some vCenter service still failed to start.

Reply
0 Kudos
dongjh
Contributor
Contributor

Any more suggestion?

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Which service failed to start? Could you please share the logs of that specific service?

Reply
0 Kudos
dongjh
Contributor
Contributor

pastedImage_0.png

pastedImage_1.png

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Could you please run the next commands and show the output?

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli store list

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry list --store TRUSTED_ROOTS --text | more

Reply
0 Kudos
dongjh
Contributor
Contributor

C:\Users\Administrator>"C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli"

store list

MACHINE_SSL_CERT

TRUSTED_ROOTS

TRUSTED_ROOT_CRLS

machine

vsphere-webclient

vpxd

vpxd-extension

SMS

BACKUP_STORE

C:\Users\Administrator>

C:\Users\Administrator>"C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli"

entry list --store TRUSTED_ROOTS --text

Number of entries in store :    2

Alias : a727c0f89ce6a6c025da7fe4d80c1438c70e1aa7

Entry type :    Trusted Cert

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            f8:85:f4:9b:ec:9a:18:e8

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=scxt-vCenter

, OU=VMware

        Validity

            Not Before: Sep 23 01:34:42 2018 GMT

            Not After : Sep 20 01:34:42 2028 GMT

        Subject: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=scxt-vCente

r, OU=VMware

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:a4:b3:66:80:4b:ae:54:d2:e2:d9:47:1a:4d:e2:

                    39:30:b5:24:1f:a9:bf:8d:ff:f9:d1:45:f3:80:a2:

                    50:4d:c4:c4:c1:a6:64:9e:83:a3:78:97:35:f4:cf:

                    0a:36:32:e3:da:4f:ef:f8:7f:6a:df:2c:69:a1:39:

                    39:ed:51:ec:55:2f:0c:03:4a:1d:8c:f7:07:65:ee:

                    ee:b3:69:57:50:eb:f9:b2:5a:3a:17:5c:3b:4d:68:

                    41:00:37:f6:2b:87:35:a6:86:55:62:88:d3:6a:c1:

                    76:ac:17:34:87:18:3d:0d:f9:a2:50:26:22:b9:76:

                    b0:f3:ff:63:29:a7:8e:84:91:f5:86:44:8f:03:72:

                    7a:2a:ea:d1:68:ed:83:2d:5c:e1:48:1c:46:47:ab:

                    7f:a4:43:99:3b:29:e3:6c:8a:fe:6b:26:9a:3e:80:

                    93:8b:86:ad:66:21:f2:03:fb:18:79:1c:95:7d:7a:

                    6b:cd:d7:c6:5f:b8:cc:f4:6d:61:f8:9b:a6:08:de:

                    34:84:0b:d3:ec:b1:0b:0d:bd:37:26:76:07:64:d4:

                    cf:be:f1:8c:31:17:fa:3f:8b:2f:ba:90:6a:0f:ca:

                    6d:52:12:4d:eb:24:ed:b3:55:64:79:9a:12:e2:0d:

                    a9:31:77:35:76:ee:b5:84:28:4c:e0:c7:0a:18:fe:

                    34:55

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                B8:FF:79:34:6C:A8:33:D7:F0:8D:B0:EE:9C:7D:E9:23:9E:A0:A7:96

            X509v3 Subject Alternative Name:

                email:email@acme.com, IP Address:127.0.0.1

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

    Signature Algorithm: sha256WithRSAEncryption

         3d:6d:c0:32:62:38:b1:a1:df:0b:51:bc:57:48:74:1a:c7:d1:

         92:0d:2f:34:6f:92:fc:69:cd:83:04:c9:af:43:56:d3:3a:25:

         c6:a9:44:ef:a4:11:8a:bd:ea:03:72:77:c2:cf:d4:c8:0f:81:

         f1:32:89:63:d8:30:cb:30:ca:5b:0b:e1:de:4f:e5:a4:2b:22:

         e0:d8:80:34:ae:94:a7:e2:ac:e1:5d:f5:7d:1b:fe:24:f2:f0:

         07:ba:73:bc:a1:b1:12:4b:df:e1:2c:04:9a:52:80:56:f5:9c:

         cd:e2:f2:2b:9b:58:8a:59:ba:46:bd:5e:72:37:a3:b2:59:e4:

         bf:19:df:7b:97:be:bf:ed:e1:f6:4f:d1:f8:96:8d:f2:9b:cd:

         b0:e6:d5:e2:cb:a0:c4:2b:e9:52:01:7c:9a:21:d3:2b:64:6b:

         9e:b6:60:c3:e3:ab:2c:be:3d:b5:2f:34:cd:e9:3a:62:34:49:

         cf:65:9c:7a:22:4f:92:ca:73:84:8e:33:3e:d9:61:e2:96:06:

         65:2a:02:69:30:1d:91:1c:6d:1d:61:6e:ee:8c:c5:05:3a:f6:

         d1:83:2e:83:44:d4:27:71:ec:aa:50:79:e3:01:f2:b2:5e:12:

         72:c3:e2:a6:1a:ff:53:cc:d3:90:11:0d:10:00:60:32:a2:a6:

         d7:80:9a:79

Alias : b3593d43b874601976e6e53b6080af9bdfaabc40

Entry type :    Trusted Cert

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            d6:d5:68:99:49:c7:94:f6

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=new_VMCA, DC=vsphere, DC=local, C=CN, ST=Zhejiang, O=scxt-vCe

nter, OU=xxzx

        Validity

            Not Before: Oct 11 06:10:49 2020 GMT

            Not After : Oct  9 06:10:49 2030 GMT

        Subject: CN=new_VMCA, DC=vsphere, DC=local, C=CN, ST=Zhejiang, O=scxt-vC

enter, OU=xxzx

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:d7:cb:a0:eb:7c:f3:c9:50:0b:df:e9:b8:fd:9c:

                    24:e2:8a:d2:b8:f5:94:92:a2:79:93:9f:2b:53:8f:

                    cd:6d:1a:a4:c2:05:51:79:80:88:ca:ae:36:55:7f:

                    80:e7:6c:2d:e5:9a:c8:17:47:0f:a3:26:4d:3b:56:

                    66:98:58:ad:dc:37:a3:fb:06:eb:7c:67:d1:39:da:

                    0e:78:8b:6d:45:ef:0c:05:0f:7d:e7:0a:38:26:3d:

                    b1:a8:d2:e4:d3:b3:62:12:3c:cc:ed:e3:b0:05:0c:

                    40:29:19:e7:46:ef:6e:c9:1a:47:df:f4:da:a6:aa:

                    ed:ed:a5:d2:f6:23:ff:d7:00:ed:6f:c9:c9:e7:97:

                    b1:93:97:06:4c:fb:1e:ac:a0:54:66:03:d9:77:40:

                    d6:49:c7:73:88:5c:d8:5f:e1:cf:c5:2e:a0:03:16:

                    fe:a9:5b:59:20:98:55:0b:38:4d:2c:46:a5:b7:45:

                    9f:96:40:19:07:a7:b3:61:cc:81:33:28:bb:aa:0b:

                    0c:ee:ae:48:3e:a1:9b:fb:73:96:78:2a:d4:fd:3b:

                    0b:c7:e0:58:29:e7:5c:c7:f4:dd:51:fc:50:32:7b:

                    1a:16:fa:53:f6:55:99:22:87:58:ad:c1:09:52:62:

                    92:68:e2:58:b3:b3:64:93:e5:cf:03:1f:df:e2:d5:

                    50:41

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                E5:01:88:15:E7:44:39:9D:BD:B4:D8:29:36:20:B8:5B:F4:A8:AF:45

            X509v3 Subject Alternative Name:

                IP Address:10.44.221.29

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE, pathlen:0

    Signature Algorithm: sha256WithRSAEncryption

         2f:ac:dd:61:f9:e6:1f:c2:38:61:ea:b9:86:da:f4:67:9c:b2:

         ce:07:1d:4a:d9:77:53:df:82:bd:b9:75:8e:10:e5:ca:8b:eb:

         72:7a:d0:c5:e5:f9:b5:94:7d:42:f5:09:7c:a8:f2:74:04:0f:

         d4:67:28:c4:0a:2b:e6:60:a6:99:3a:b7:b5:aa:02:47:41:3f:

         2f:34:e9:42:eb:dc:a1:be:78:18:8f:ef:f0:d9:c3:ba:83:a6:

         8a:35:91:26:b9:62:1e:ac:bf:02:74:cc:21:7e:70:d3:bd:6b:

         41:a8:a5:cf:09:f9:99:00:1a:3e:04:c0:33:d4:b3:62:1e:46:

         82:a3:4a:6d:64:24:16:bf:af:d6:0e:19:6f:98:36:10:6c:62:

         5e:88:dc:ae:8e:ac:d3:d3:e1:80:05:bc:49:f9:00:df:2f:f9:

         05:85:e9:b7:0d:49:2c:c3:54:9b:1b:32:67:41:7b:79:8b:18:

         92:ab:44:ce:91:e0:1e:a1:1a:91:46:92:08:e9:59:04:57:be:

         b4:9b:55:b1:74:d5:bc:29:90:34:b5:aa:7c:8a:7c:cc:4e:f8:

         85:54:0a:6a:ae:70:f3:89:17:0c:a0:f9:30:6b:81:c2:ef:d4:

         76:78:e3:dd:f7:39:ba:7f:13:7c:e6:2e:3f:8d:cc:4e:7d:12:

         94:83:11:0f

C:\Users\Administrator>

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

I can see that your certificate is on the TRUSTED_ROOT store, could you please confirm me if when you followed this procedure did you edited the certool.cfg: Generate a New STS Signing Certificate on a vCenter Windows Installation

I am asking this because you are using the default values:

X509v3 Subject Alternative Name:

email:email@acme.com, IP Address:127.0.0.1

Or are these values from the old certficate?

Reply
0 Kudos
dongjh
Contributor
Contributor

Hi,

These values are from the old certificate.

You can see the new values below.

pastedImage_0.png

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

Hi,

Please try to run the next:

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry create --store TRUSTED_ROOTS --cert FULL_PATH_OF_CERT --key FULL_PATH_OF_KEY

For the path please use the same that is in your folder, what is going to do is adding this .cer in the TRUSTED_ROOT store. I do not think you will need to delete the old certificate but in case needed please take a Snapshot first and run:

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli entry delete a727c0f89ce6a6c025da7fe4d80c1438c70e1aa7

That number is the ALIAS of your expired certificate with is showing error in the vCenter Inventory Service log.

Reply
0 Kudos
dongjh
Contributor
Contributor

pastedImage_0.png

pastedImage_1.png

The service still failed to start after above steps.

pastedImage_3.png

2020-10-14T23:30:54.288+08:00 [WrapperListener_start_runner  ERROR com.vmware.cis.lotus.LdapUtils  opId=] Certificate not trusted; [sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed]

Trust store: [

Alias: b3593d43b874601976e6e53b6080af9bdfaabc40

[

[

  Version: V3

Subject: OU=xxzx, O=scxt-vCenter, ST=Zhejiang, C=CN, DC=local, DC=vsphere, CN=new_VMCA

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits

  modulus: 27241648569484498837900051963413869326381690925745518521077884288673072636721442422571676457365155784802453142519946796422834042188793823736228045052642123988164868866521934418455232242316893081753174658959135387827206651775908015963306182506696220577380995259725648771121523991110081072554810079389232117057536605701793894541614845783421207535137290905066954134400884184450625141446061854762812678998232738690734601302242314245665242538855041715696201767122662151526547847543425707984234415425670922737850872863651509935208553688831934099255700355949386371983059260142740723205019609013097469198841171233378288357441

  public exponent: 65537

  Validity: [From: Sun Oct 11 14:10:49 CST 2020,

               To: Wed Oct 09 14:10:49 CST 2030]

  Issuer: OU=xxzx, O=scxt-vCenter, ST=Zhejiang, C=CN, DC=local, DC=vsphere, CN=new_VMCA

  SerialNumber: [    d6d56899 49c794f6]

Certificate Extensions: 4

[1]: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:0

]

[2]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

[3]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  IPAddress: 10.44.221.29

]

[4]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: E5 01 88 15 E7 44 39 9D   BD B4 D8 29 36 20 B8 5B  .....D9....)6 .[

0010: F4 A8 AF 45                                        ...E

]

]

]

  Algorithm: [SHA256withRSA]

  Signature:

0000: 2F AC DD 61 F9 E6 1F C2   38 61 EA B9 86 DA F4 67  /..a....8a.....g

0010: 9C B2 CE 07 1D 4A D9 77   53 DF 82 BD B9 75 8E 10  .....J.wS....u..

0020: E5 CA 8B EB 72 7A D0 C5   E5 F9 B5 94 7D 42 F5 09  ....rz.......B..

0030: 7C A8 F2 74 04 0F D4 67   28 C4 0A 2B E6 60 A6 99  ...t...g(..+.`..

0040: 3A B7 B5 AA 02 47 41 3F   2F 34 E9 42 EB DC A1 BE  :....GA?/4.B....

0050: 78 18 8F EF F0 D9 C3 BA   83 A6 8A 35 91 26 B9 62  x..........5.&.b

0060: 1E AC BF 02 74 CC 21 7E   70 D3 BD 6B 41 A8 A5 CF  ....t.!.p..kA...

0070: 09 F9 99 00 1A 3E 04 C0   33 D4 B3 62 1E 46 82 A3  .....>..3..b.F..

0080: 4A 6D 64 24 16 BF AF D6   0E 19 6F 98 36 10 6C 62  Jmd$......o.6.lb

0090: 5E 88 DC AE 8E AC D3 D3   E1 80 05 BC 49 F9 00 DF  ^...........I...

00A0: 2F F9 05 85 E9 B7 0D 49   2C C3 54 9B 1B 32 67 41  /......I,.T..2gA

00B0: 7B 79 8B 18 92 AB 44 CE   91 E0 1E A1 1A 91 46 92  .y....D.......F.

00C0: 08 E9 59 04 57 BE B4 9B   55 B1 74 D5 BC 29 90 34  ..Y.W...U.t..).4

00D0: B5 AA 7C 8A 7C CC 4E F8   85 54 0A 6A AE 70 F3 89  ......N..T.j.p..

00E0: 17 0C A0 F9 30 6B 81 C2   EF D4 76 78 E3 DD F7 39  ....0k....vx...9

00F0: BA 7F 13 7C E6 2E 3F 8D   CC 4E 7D 12 94 83 11 0F  ......?..N......

]

Alias: 333f1f516dea247c4f4d4e13933ea2ef629054bf

[

[

  Version: V3

  Subject: OU=scxt, O=hzliqun, L=Palo Alto, ST=Zhejiang, C=US, CN=STS

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits

  modulus: 25110676015509052887696271047954770133478087168079486792130367974126612029808125819934644731038396649744615973806883339682876430659220298607816574702302956456044574610028521735323231209004321922997383984596087886465702050430908257257275932944338216847145245986631769350119017786517265401377410380402156831012356973390701306567350674467745428248493117629671957856105517635138042571784721512184060958105090336070501439111341363017247382166345487772806891785871076093378647317093439196626653975375716124878679491296110052827397150719084822756330025054979256364849700603760286096587852264183273066249452941972971629577417

  public exponent: 65537

  Validity: [From: Tue Sep 15 16:00:02 CST 2020,

               To: Thu Sep 15 16:00:02 CST 2022]

  Issuer: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN=CA

  SerialNumber: [    e7848b6c 3c69a532]

Certificate Extensions: 4

[1]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

[2]: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [

  DigitalSignature

  Non_repudiation

  Key_Encipherment

]

[3]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  RFC822Name: dongjh@ahope.com.cn

  IPAddress: 10.44.221.29

  DNSName: scxt-vCenter

]

[4]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 72 2B BA B0 A2 E4 A5 B9   2F 8B A5 BA 47 7C B6 25  r+....../...G..%

0010: 3F 86 5F DE                                        ?._.

]

]

]

  Algorithm: [SHA256withRSA]

  Signature:

0000: 10 38 FF 34 56 65 BC CB   D7 E6 4B 5D F4 88 91 5A  .8.4Ve....K]...Z

0010: 86 79 92 18 80 F5 A5 A1   70 E4 AC D8 BF 03 27 0A  .y......p.....'.

0020: D8 E7 AC F5 83 07 E3 22   13 7A 6F 19 AE EB D4 46  .......".zo....F

0030: E2 8D 0F 14 BB 3B B2 EF   56 06 0C C7 71 BA 8C BE  .....;..V...q...

0040: 9F 1A 3A 07 E0 FA 25 07   FF BC 03 E6 AD 35 AD 56  ..:...%......5.V

0050: CF 32 A2 38 28 A1 10 A5   36 2D 8B B6 ED A8 FF B2  .2.8(...6-......

0060: EA CF 76 5A EF 67 8A 21   31 12 98 B6 00 0A 39 A9  ..vZ.g.!1.....9.

0070: F4 9C 4E 3F F3 85 DE E9   F1 5F E9 8D FF E2 27 CB  ..N?....._....'.

0080: 88 9A 1E 9C CF 50 9E E2   AB CA 0C E0 03 5D E0 A0  .....P.......]..

0090: 34 9D D6 62 91 BE 22 72   2B 05 B5 81 B5 BD 90 92  4..b.."r+.......

00A0: E5 1E 9D B7 D5 8E EF D0   D6 3C A8 DF CC AB ED 47  .........<.....G

00B0: 07 05 18 2A 6E C3 4A D3   FB 29 86 91 13 BC C2 BB  ...*n.J..)......

00C0: CC 1F 20 34 B6 B2 6B 12   9C 6B 60 06 41 83 7A 3D  .. 4..k..k`.A.z=

00D0: 3D DC D7 D2 36 25 4E A7   02 5C 6F 4A 6A D7 87 4D  =...6%N..\oJj..M

00E0: B6 33 0F C1 38 22 E9 A0   AD 95 B9 9F 11 91 41 FC  .3..8"........A.

00F0: 5F AF B7 75 A6 93 3F 86   C1 D7 97 49 0D B2 BA 04  _..u..?....I....

]

Alias: a727c0f89ce6a6c025da7fe4d80c1438c70e1aa7

[

[

  Version: V3

  Subject: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN=CA

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits

  modulus: 20791547646434402980886441557292023853851827712760265797799246125154728932581237103693641633490206657753181778468362187030988333035967113704622459829441402664741936580766322942010828989190524850384858985583494085812202462261993099037227022246354311672509352623382825077253894640577793906147071995428213246303243485385612759399858172748847541061550218893004636380605933755048113178064685752117885251226945213562003666095449936320046223841681338360145101863634040347565747062060371028120192003587140324556851562104558943586696832441522929412573567010239888134060972246071395734194971364677511583686445056515333882262613

  public exponent: 65537

  Validity: [From: Sun Sep 23 09:34:42 CST 2018,

               To: Wed Sep 20 09:34:42 CST 2028]

  Issuer: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN=CA

  SerialNumber: [    f885f49b ec9a18e8]

Certificate Extensions: 4

[1]: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:true

  PathLen:0

]

[2]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  Key_CertSign

  Crl_Sign

]

[3]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  RFC822Name: email@acme.com

  IPAddress: 127.0.0.1

]

[4]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

]

  Algorithm: [SHA256withRSA]

  Signature:

0000: 3D 6D C0 32 62 38 B1 A1   DF 0B 51 BC 57 48 74 1A  =m.2b8....Q.WHt.

0010: C7 D1 92 0D 2F 34 6F 92   FC 69 CD 83 04 C9 AF 43  ..../4o..i.....C

0020: 56 D3 3A 25 C6 A9 44 EF   A4 11 8A BD EA 03 72 77  V.:%..D.......rw

0030: C2 CF D4 C8 0F 81 F1 32   89 63 D8 30 CB 30 CA 5B  .......2.c.0.0.[

0040: 0B E1 DE 4F E5 A4 2B 22   E0 D8 80 34 AE 94 A7 E2  ...O..+"...4....

0050: AC E1 5D F5 7D 1B FE 24   F2 F0 07 BA 73 BC A1 B1  ..]....$....s...

0060: 12 4B DF E1 2C 04 9A 52   80 56 F5 9C CD E2 F2 2B  .K..,..R.V.....+

0070: 9B 58 8A 59 BA 46 BD 5E   72 37 A3 B2 59 E4 BF 19  .X.Y.F.^r7..Y...

0080: DF 7B 97 BE BF ED E1 F6   4F D1 F8 96 8D F2 9B CD  ........O.......

0090: B0 E6 D5 E2 CB A0 C4 2B   E9 52 01 7C 9A 21 D3 2B  .......+.R...!.+

00A0: 64 6B 9E B6 60 C3 E3 AB   2C BE 3D B5 2F 34 CD E9  dk..`...,.=./4..

00B0: 3A 62 34 49 CF 65 9C 7A   22 4F 92 CA 73 84 8E 33  :b4I.e.z"O..s..3

00C0: 3E D9 61 E2 96 06 65 2A   02 69 30 1D 91 1C 6D 1D  >.a...e*.i0...m.

00D0: 61 6E EE 8C C5 05 3A F6   D1 83 2E 83 44 D4 27 71  an....:.....D.'q

00E0: EC AA 50 79 E3 01 F2 B2   5E 12 72 C3 E2 A6 1A FF  ..Py....^.r.....

00F0: 53 CC D3 90 11 0D 10 00   60 32 A2 A6 D7 80 9A 79  S.......`2.....y

]

]

Certificate: [

[

  Version: V3

  Subject: C=US, CN=10.44.221.29

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits

  modulus: 24649290579556581022992861647856995211855507289037553844797340297419870593178328179491826939447668930379759953606709897526279215048092606722222488330938825572650724834288078641951239052518222380968962150841065693508478812028714868053066397343604715667284417056608635356788915305425604855656905863065312306926274589175168938345338169287600702709965704419697309432029801963915680364196418111421998922415875190403362528871044053293752500877435421285440378793342344650582068328916342793992902812328749796061346441392292170378898916119157307411380225207111129318966343433922583001320341543384848354738773103365068216281243

  public exponent: 65537

  Validity: [From: Wed Sep 26 09:34:54 CST 2018,

               To: Fri Sep 25 21:34:54 CST 2020]

  Issuer: OU=VMware, O=scxt-vCenter, ST=California, C=US, DC=local, DC=vsphere, CN=CA

  SerialNumber: [    cc13a336 8e79ca2d]

Certificate Extensions: 3

[1]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: B8 FF 79 34 6C A8 33 D7   F0 8D B0 EE 9C 7D E9 23  ..y4l.3........#

0010: 9E A0 A7 96                                        ....

]

]

[2]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  IPAddress: 10.44.221.29

]

[3]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 59 11 E4 64 4F D4 48 35   85 A5 BE DF 2C D9 6D 9F  Y..dO.H5....,.m.

0010: 96 FA 48 D4                                        ..H.

]

]

]

  Algorithm: [SHA256withRSA]

  Signature:

0000: 0B C0 3E C8 DB 64 44 E5   90 81 7E B6 AD BE 6A 25  ..>..dD.......j%

0010: D8 24 8E FD D1 D7 26 59   B7 F4 CD 05 7C 39 09 23  .$....&Y.....9.#

0020: C8 CA F3 CB 1B AC 85 30   6E 45 CB 4E EC 5E 84 DB  .......0nE.N.^..

0030: CB 1D 8E 5E 60 35 12 D4   0C 1F E0 DC 36 76 E4 F4  ...^`5......6v..

0040: EE 26 73 0E F6 39 E2 E8   F1 C5 27 A7 D6 9E 44 22  .&s..9....'...D"

0050: BC 3A EA 61 93 41 0E ED   45 6A B7 3D 61 6F B6 30  .:.a.A..Ej.=ao.0

0060: A8 C2 D3 9C 1F 79 5B 5C   67 AC C1 DD 9E 81 29 7F  .....y[\g.....).

0070: 8E 3B 3C 11 C5 68 FE 11   8C E9 96 BE 7E 2E 93 D2  .;<..h..........

0080: 94 FB BF 17 5D FD 11 43   65 83 2E 5D D5 5D B5 4A  ....]..Ce..].].J

0090: F6 33 12 EB 09 37 75 E8   8E 8E 78 60 C0 45 05 40  .3...7u...x`.E.@

00A0: 18 A8 6E 51 FE EE 0B EB   31 B9 03 3B BA 43 B9 A4  ..nQ....1..;.C..

00B0: EE 97 E8 72 B9 87 90 98   77 A2 2A E9 FB 36 00 30  ...r....w.*..6.0

00C0: C4 2C B4 F3 46 03 C5 9D   A3 13 49 CB 1A 8E 55 0A  .,..F.....I...U.

00D0: 13 A8 6D A6 F5 FE BB 59   D6 AA CC 66 17 11 C7 FB  ..m....Y...f....

00E0: 96 9C CC 11 ED 3F EE 5E   E2 DC 39 C7 66 4C 9A B1  .....?.^..9.fL..

00F0: 92 DD AE D5 F8 53 DF BE   67 86 EC B8 3E 03 E8 47  .....S..g...>..G

]

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

I am not sure what issues are you facing right now as the certificate is correctly imported there. Are you sure also this certificate is imported in the keystore mentioned in the previous steps?

Please do not paste the whole output as it has a lot of data that is irrelevant and it confuses.

Also I can see some entries that says new_VMCA, have you reseted all the certificates or only the STS one?

Reply
0 Kudos
beng4
Contributor
Contributor

Might help someone who runs into this issue where the inventory service won't start.

Replacing vmdir certificates on vCenter 6.0

https://blog.ntitta.in/?p=114

Reply
0 Kudos