{"id":1543,"date":"2024-05-17T20:47:56","date_gmt":"2024-05-18T01:47:56","guid":{"rendered":"https:\/\/zewwy.ca\/?p=1543"},"modified":"2024-05-20T10:24:38","modified_gmt":"2024-05-20T15:24:38","slug":"renew-root-certificate-on-vcenter","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2024\/05\/17\/renew-root-certificate-on-vcenter\/","title":{"rendered":"Renew Root Certificate on vCenter"},"content":{"rendered":"

<\/span>Renew Root Certificate on vCenter<\/span><\/h1>\n

I’ve always accepted the self signed cert, but what if I wanted a green checkbox? With a cert sign by an internal PKI….\u00a0 We can dream for now I get this…<\/p>\n

\"\"<\/a><\/p>\n

First off since I did a vCenter rename<\/a>, and in that post I checked the cert, that was just for the machine cert (the Common name noticed above snip), this however didn’t renew\/replace the root certificate. If I’m going to renew the machine cert, may as well do a new Root, I’m assuming this will also renew the STS cert, but well validate that.<\/p>\n

Source: Regenerate a New VMCA Root Certificate and Replace All Certificates (vmware.com)<\/a><\/p>\n

<\/span>Prerequisites<\/span><\/h2>\n

You must know the following information when you run vSphere Certificate Manager with this option.<\/p>\n

Password for administrator@vsphere.local.
\nThe FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.<\/p>\n

<\/span>Procedure<\/span><\/h2>\n

Log in to the vCenter Server on an embedded deployment or on a Platform Services Controller and start the vSphere Certificate Manager.
\nOS Command
\nFor Linux:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/usr\/lib\/vmware-vmca\/bin\/certificate-manager
\nFor Windows:\u00a0 \u00a0 \u00a0 C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certificate-manager.bat
\n*Is Windows still support, I thought they dropped that a while ago…)<\/p>\n

\"\"<\/a><\/p>\n

Select option 4, Regenerate a new VMCA Root Certificate and replace all certificates.<\/p>\n

ok dokie… 4….<\/p>\n

\"\"<\/a><\/p>\n

and then….<\/p>\n

\"\"<\/a><\/p>\n

five minutes later….<\/p>\n

\"\"<\/a><\/p>\n

Checking the Web UI, shows the main sign in page already has the new Cert bound, but attempting to sign in and get the FBA page just reported back that “vmware services are starting”. The SSH session still shows 85%, I probably should have done this via direct console as I’m not 100% if if affect the SSH session. I’d imagine it wouldn’t….<\/p>\n

\"\"<\/a><\/p>\n

10 minutes later, I felt it was still not responding, on the ESXi host I could see CPU on VCSA up 100% and stayed there the whole time and finally subsided 10 minutes later, I brought focus to my SSH session and pressed enter…<\/p>\n

\"\"<\/a><\/p>\n

Yay and the login…. FBA page loads.. and login… Yay it works….<\/p>\n

So even though the Root Cert was renewed, and the machine cert was renewed… the STS was not and the old Root remains on the VCSA….<\/p>\n

\"\"<\/a><\/p>\n

So the KB title is a bit of a lie and a misnomer “Regenerate a New VMCA Root Certificate and Replace All Certificates”… Lies!!<\/p>\n

But it did renew the CA cert and the Machine cert, in my next post I’ll cover renewing the STS cert.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Renew Root Certificate on vCenter I’ve always accepted the self signed cert, but what if I wanted a green checkbox? With a cert sign by an internal PKI….\u00a0 We can dream for now I get this… First off since I did a vCenter rename, and in that post I checked the cert, that was just … <\/p>\n

Continue reading “Renew Root Certificate on vCenter”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[5,8],"tags":[378,88],"class_list":["post-1543","post","type-post","status-publish","format-standard","hentry","category-hypervisors","category-server-administration","tag-root-certificates","tag-vmware"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1543"}],"version-history":[{"count":2,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1543\/revisions"}],"predecessor-version":[{"id":1545,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1543\/revisions\/1545"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}