VMware vSphere

 View Only
  • 1.  Can I renew a Machine SSL certification without reconfiguring a new certool.cfg file

    Posted Dec 23, 2022 06:24 PM

    I have an expired Machine SSL certificate, and a Solution User Certificate entitled ' WCP' within my vCenter 7.0 VMWare Essentials build. I need assistance in choosing the least obtrusive options within the VMWare 'Certificate Manager'. I attempted to update my Machine SSL with Option 3 and received the following: Error: The following solution user certificates are expired [wcp]. Solution: Please use Option 8 from the Certificate-manager utility menu to reset the certificates.

    Here is the issue:

    I don't remember how I started the initial build that created the original certool.cfg file. The Certificate-Manager asks to use/or recreate the certool.cfg file. I fear if I answer the questions wrong during the reconfiguration, I will end up digging my hole deeper. I have attempted to view the contents of the original certool.cfg file only to see what appears to be a default template - with no custom entries.  

    Can I get away with just using what has been created in the past without making incorrect entries?

     

    If I were to opt to reconfigure the certool.cfg file, these are the prompted questions:

    Please configure certool.cfg with proper values before proceeding to next step.

    Please enter value for 'Country' (Default value: US) :

    Please enter value for 'Name' (Default value: CA) :

    Please enter value for 'Organization (Default value: VMware) :

    Please enter value for 'OrgUnit' (Default value: VMware Engineering) :

    Please enter value for 'State' (Default value: California) :

    Please enter value for 'Locality' (Default value: Palo Alto) :

    Please enter value for 'IPAddress' (Optional) :

    Please enter value for 'email' (Default value: email@acme.com) :

    Please enter value for 'Hostname' (Enter valid Fully Qualified Domain Name) :

    Please enter value for VMCA 'Name' 

     

    I attempted to bypass the reconfiguration of the certool.cfg file, avoiding the above questions and ended up receiving the following options, during my selection of option 8 :

     

    Do you wish to generate all certificates using configuration file: Option [Y/N] ?

    Certool.cfg file exists, Do you wish to reconfigure: Option [Y/N] ?

    You are going to reset by regenerating Root Certificate and replace all certificates using VMCA continue operation: Option [Y/N] ?

     

    Not sure how to answer the above questions. Any help/or advice would be greatly appreciated

     



  • 2.  RE: Can I renew a Machine SSL certification without reconfiguring a new certool.cfg file

    Broadcom Employee
    Posted Dec 23, 2022 10:40 PM

    As your post needs moving to the area for vSphere, I have reported it to the volunteer moderators.

     



  • 3.  RE: Can I renew a Machine SSL certification without reconfiguring a new certool.cfg file

    Posted Dec 24, 2022 08:50 PM

    Theoretically possible - but I am afraid it still will cause some problems 

    Better not to risk



  • 4.  RE: Can I renew a Machine SSL certification without reconfiguring a new certool.cfg file

    Posted Dec 29, 2022 06:25 PM

    Prior to receiving any response, at that moment, I went ahead with option 8 w/in the command line of Certificate Manager for my vCenter Server 7.0.

    I answered the following questions:

    Do you wish to generate all certificates using configuration file: Option [Y/N]? Y

    certool.cfg file exists, Do you wish to reconfigure: Option [Y?N]?: N

    You are going to reset by regenerating Root Certificate and replace all certificates using VMCA Continue operation: Option [Y/N]?: Y

    I received the following error message:

    805Z ERROR certificate-manager 'lstool reregister' failed: 1

    806Z ERROR certificate-manager please see /var/log/vmware/vmcad/certificate-manager.log for more information

    Viewing the log file, it appears that the renewal of the outstanding Machine SSL Certificate was successful, yet certificate-manager did not finish the process. If fact there were no errors/or failures accept for what I have written above. I feel like I'm getting close to resolving my issue, and regaining web access to my vCenter Server.

    I researched the above issue and discovered an option to edit a python help file. Which of coarse requires some knowledge in edited a python file. Before I dive into this can anybody shed some light on my situation, and point me in the right direction?

    Thank you