Running into an issue when replacing certs on the IaaS web server. I replace the cert in the vRA Appliance and I get the error "Certificate with thumbprint {thumbprint} not found in store." I checked and the certificate was definitely added to the IaaS web server. I even changed the binding of IIS on that web server to use the new certificate and than ran the process in the vRA appliance again and I got the same message.
I worked with support on this and they didn't even try to troubleshoot updating the cert through the VAMI. They had me manually do it using basically the same steps as 6.2 (although there is a new URL) - http://pubs.vmware.com/vra-70/index.jsp#com.vmware.vrealize.automation.doc/GUID-91B9E89E-206B-4B1C-9...
I know this doesn't actually solve the root cause of the problem but at least if you stumble onto this thread you'll know not to waste time trying to get it work through the VAMI.
Update 9/7/2016
The above vRA 7 link no longer works and I'm unable to find a replacement for vRA 7. However, the steps are the same as though documented for vRA 6 which can be found here: http://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-91B9E89E-206B-4B1...
I worked with support on this and they didn't even try to troubleshoot updating the cert through the VAMI. They had me manually do it using basically the same steps as 6.2 (although there is a new URL) - http://pubs.vmware.com/vra-70/index.jsp#com.vmware.vrealize.automation.doc/GUID-91B9E89E-206B-4B1C-9...
I know this doesn't actually solve the root cause of the problem but at least if you stumble onto this thread you'll know not to waste time trying to get it work through the VAMI.
Update 9/7/2016
The above vRA 7 link no longer works and I'm unable to find a replacement for vRA 7. However, the steps are the same as though documented for vRA 6 which can be found here: http://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-91B9E89E-206B-4B1...
Hi skoch,
The problem is with the certificate update process. An over validation happens, that checks if the cert is present in trusted people (which it shouldn't be if the cert is CA signed).
To work around the failure you need to manually deploy the new cert in the [Local computer].Trusted people store. Once the change procedure completes you can remove it from trusted people.
Also, since are providing just the thumbprint to VAMI, and not uploading the certificate you will need to make sure the cert (with the PK) is already deployed to the [Local Computer].Personal store on all Web servers.
Thank you that did the trick
I copied the cert from the natural location local computer personal to Local Computer Trust People
Re imported and it worked as expected
A minor hiccup for such a great improvement on updating certs
Thank for the info
Hi Aronov,
Do you know if this has been corrected in 7.0.1 or 7.1? I don't see anything about it in the release notes and have another customer who appears to be having the same issue with 7.0.1.
Thanks!
It was fixed in 7.1