Hi, All.
The task that I've taken on is to replace the default VMCA root certificates in our vSphere environment with intermediate certificates signed by our company CA (followed by replacing machine and solutions certs.) I'm using the Certificate Manager utility as described in the documentation here.
My environment looks like this (all nodes are VCSA 6.7U3o -- will be 6.7U3q this weekend)
Yep. External PSCs are depricated but that's our current setup.
Each PSC is a VMCA so there are four root certs that I need to replace with intermediate certs. I've generated all the intermediate certs and replaced them along with the machine and solution certs on the four PSCs. There were no errors and the Certificate Management tool reported successful replacements each time.
However, when I connect to the hosts' DCUIs, the PSC nodes show incomplete certificate chains with missing trust anchors (intermediate and root certs.) Screenshot:
The solution certificate for the Web Client SSO looks good, though.
Searching for a solution, I found the same problem when replacing the ESXi host certificates, but the workaround (here) doesn't translate to the VCSA platform.
Is there a way to fix this on the VCSA machine certs before I plow forward to the vCenters and ESXi hosts?
Thanks.
-David