I have installed an external PSC (6.0 U1) and have attempted to replace the machine SSL certificate with a custom certificate from our CA
I have tried using both the certificate-manager CLI and the new GUI based replacement
Both times the certificates were accepted but when services were restarted the VMware Component Manager service hangs and fails to restart
I am using windows and not the appliance
has anyone else experienced this?
I have continued to troubleshoot this problem. the certificate-manager rolls back the certificate replacement after a period without the service being able to start
The signed certificate was submitted and returned as expected and is in date, with correct PSC FQDN and within a certificate chain (root, subordinate, issuing)
the root64.cer contains this chain, yet the service still refuses to start
I am going to log a SR with vmware but wondering if any others have experienced this and if its unique to update 1
I may try installing the non update PSC to see if that works
I am trying to replace the PSC certificate prior to installing vCenter server but get the impression this might be where I am going wrong and it isn't supported until vCenter is installed
can anyone confirm?
Anyone? Anyone? this reminds me of Ferris. Save Ferris
I have tried this 6 times today, using various KB's, guides and videos provided by VMware with no success. any help much appreciated
I installed vCenter and still have the issue (both PSC and vCenter are windows 2012 r2 installs)
I have now logged a SR with VMware as guess from the lack of replies its just me!
On VMworld 2015 there was a conference INF4529 - VMware Certificate Management for Mere Mortals. And there was some information about one caveat: 24 Hours Rule (at 44:38). As I can understand, signing certificate must have a valid date of 24 hours prior before renewing host certificates or adding new hosts for vCenter. So, if you just issued certificate from your enterprise CA for VMware CA, you need to wait for 24 hours before issuing certificates for hosts.
Maybe, that is you case.
Thanks for the reply. I am not using the VMCA and applying certs the old way directly from our MS CA due to our internal restrictions
however there it is certainly worth me trying again tomorrow morning when 24hrs have gone past. seems a bit weird for a normal certificate.
I can see the logic if the VMCA is set as a subordinate as the trusted certificate will need time to push to all the computers in AD (hence 24hr recommendation) to be considered trusted. However thats not what i am doing.
Will still try it tho!
The only other thing I can think of is that we are using SHA-1 certificates, while I appreciate this isn't recommended, it doesn't say its not supported and we don't have a choice until we refresh our PKI setup next year
I had the same problem trying to import commercial certificates but this solved it for me.
Thanks admarshall, I had the same issue the vmware component manager service was not starting while trying to replace solution certificate with our own CA signed cert and this solved my problem.