VMware Cloud Community
compcentrum
Contributor
Contributor
‎11-27-2022 10:23 AM

VMWARE VCSA7 Appliance and WSP certificate renewal

Hello,
I want to ask if anyone has encountered a problem with VMware Vsphere, I have several Vsphere 7 machines as an appliance, when renewing the certificate via

/usr/lib/vmware-vmca/bin/certificate-manager

3. Replace Machine SSL certificate with VMCA Certificate 

compcentrum_0-1669573290049.png

The certificate was exchanged correctly
is the only one that does not renew the wcp service certificate

compcentrum_1-1669573351943.png

 

Could someone advise how to extend the wcp certificate
Thanks for advice

Jan

0 Kudos
6 Replies
maksym007
Expert
Expert
‎11-27-2022 12:06 PM

Have you checked VMware articles ?

https://kb.vmware.com/s/article/80588 

0 Kudos
compcentrum
Contributor
Contributor
‎11-27-2022 12:31 PM

I tried that just now and anyway, even if everything goes correctly, the certificate is not extended according to the statement from

root@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt
root@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key
root@localhost [ ~ ]# python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u Administrator@vsphere.local
Password to connect to VC server for user="Administrator@vsphere.local":
2022-11-27T20:20:34.290Z Updating certificate for "com.vmware.vim.eam" extension
2022-11-27T20:20:34.475Z Successfully updated certificate for "com.vmware.vim.eam" extension
2022-11-27T20:20:34.501Z Verified login to vCenter Server using certificate="/certificate/vpxd-extension.crt" is successful
root@localhost [ ~ ]# service-control --stop vmware-eam
Operation not cancellable. Please wait for it to finish...
Performing stop operation on service eam...
Successfully stopped service eam
root@localhost [ ~ ]# service-control --start --all
Operation not cancellable. Please wait for it to finish...
Performing start operation on service lwsmd...
Successfully started service lwsmd
Performing start operation on service vmafdd...
Successfully started service vmafdd
Performing start operation on service vmdird...
Successfully started service vmdird
Performing start operation on service vmcad...
Successfully started service vmcad
Performing start operation on profile: ALL...
Successfully started profile: ALL.
Performing start operation on service observability...
Successfully started service observability
Performing start operation on service vmware-vdtc...
Successfully started service vmware-vdtc
Performing start operation on service vmware-pod...
Successfully started service vmware-pod
root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo "Store: ${store}"; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store ${store} --text | grep -E 'Alias|Not After'; done
Store: MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Nov 14 06:54:07 2024 GMT
Store: TRUSTED_ROOTS
Alias : acb1e65697cee71c29c05a0925292204990c63c0
Not After : May 23 08:40:12 2032 GMT
Alias : b77b71b904ccb81332a2d573698d31456f893abc
Not After : Nov 8 19:30:05 2032 GMT
Store: TRUSTED_ROOT_CRLS
Alias : 664479f1314f9cac731f22485299022521a97d06
Alias : 5eb5e2cad8bc06f917bef01c43678164fe3f7034
Store: machine
Alias : machine
Not After : May 23 08:40:12 2032 GMT
Store: vsphere-webclient
Alias : vsphere-webclient
Not After : May 23 08:40:12 2032 GMT
Store: vpxd
Alias : vpxd
Not After : May 23 08:40:12 2032 GMT
Store: vpxd-extension
Alias : vpxd-extension
Not After : May 23 08:40:12 2032 GMT
Store: hvc
Alias : hvc
Not After : May 23 08:40:12 2032 GMT
Store: data-encipherment
Alias : data-encipherment
Not After : May 23 08:40:12 2032 GMT
Store: APPLMGMT_PASSWORD
Store: SMS
Alias : sms_self_signed
Not After : May 29 08:45:00 2032 GMT
Store: wcp
Alias : wcp
Not After : May 28 08:37:11 2024 GMT
Store: BACKUP_STORE
Alias : bkp___MACHINE_CERT
Not After : May 28 20:40:12 2024 GMT
Alias : bkp_machine
Not After : May 23 08:40:12 2032 GMT
Alias : bkp_vsphere-webclient
Not After : May 23 08:40:12 2032 GMT
Alias : bkp_vpxd
Not After : May 23 08:40:12 2032 GMT
Alias : bkp_vpxd-extension
Not After : May 23 08:40:12 2032 GMT
Alias : bkp_hvc
Not After : May 23 08:40:12 2032 GMT
Alias : bkp_wcp
Not After : May 28 08:37:11 2024 GMT

0 Kudos
maksym007
Expert
Expert
‎11-27-2022 12:49 PM

First time when I see a such error. 
What is your vCenter version?

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎11-27-2022 01:14 PM

As your post needs moving to a different area, I have reported it to the moderators.

 


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
compcentrum
Contributor
Contributor
‎11-27-2022 11:25 PM

Version: 7.0.1
Build: 17005016

0 Kudos
shaveen007
Contributor
Contributor
‎05-11-2023 11:43 PM

Before 7.0U2, wcp certificate as well as Machine SSL Certificate expire in 2 years , so it was correctly updated to 2024 from 2022.

0 Kudos