VMware vSphere

Dear All,

I have VCSA 7 with HA,  right now our ssl certificate expired, if we want to renew our ssl certificate. do i have to do both (active and pasive) or only active . please guide me step by step to do it

you need to do both - as their FQDN's are different 

My vCenter cert is going to expire soon. I also preparing on this. I actually have the new certificate (from our internal CA) ready. But before the action, I checked online that if we renew the cert failed, then we must access through SSH to the vCenter. Then I get prepared to the SSH and try to play around the CLI (/usr/lib/vmware-vmca/bin/certificate-manager) on the vCenter. Then I noticed that it says the tool is not supporting under HA. So I removed this HA configuration inside the vCenter, and then try again to access the cert manager, it works.  May be it can help you on your answer.

It validates the document I saw from the product document

The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.

If possible, replace certificates in the vCenter Server that will become the Active node before you clone the node.

Hi, 

thank for yoir information, for ssl we use self sign certificates. How about renew certificates using certificate management and restart Vsphere services. is this possible...

thank you

Remove/destroy vCHA . Replace/Renew certs and then redo vCHA.

Hi Ajsy

Ok let me try this solution.

regards

To renew the SSL certificate on a vCenter Server Appliance (VCSA) 7 with High Availability (HA), you will need to renew the certificate on both the Active and Passive nodes.

steps to renew the SSL certificate on both the Active and Passive nodes of a VCSA 7 HA deployment:

1. Log in to the vSphere Client and navigate to the vCenter Server Appliance.

2. Click on the "Configure" tab and select "Certificate Management."

3. Click on the "Replace SSL Certificate" option.

4. Follow the wizard to generate a new Certificate Signing Request (CSR). You will need to provide information such as the organization name, common name, and email address.

5. Submit the CSR to a Certificate Authority (CA) to obtain a new SSL certificate.

6. Once you have obtained the new SSL certificate, click on the "Import" button and browse to the certificate file.

7.Click "Replace certificate" and follow the wizard to complete the certificate installation.

8. After the certificate has been updated on the Active node, log in to the Passive node and repeat steps 1-7

Please not the cluster will only sync when the cert on both nodes are up to date

Hi wenoi6

I Can't Find "configure -> certificate management" if i not mistake certificate management under administration menu.

regards

You are correct. 

2. Click on the "Administration" menu in the upper left corner and select "Certificates" and then "Certificate Management".

3.  Click on the "Replace SSL Certificate" option. under the action menu of thje particular certificate.

It is worth to mention that all these steps you should do with administrator@vsphere.local credentials 

Please check this as you are making to too complicated .  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.avail.doc/GUID-CDC20BD4-E0CE-45D9-B73B-9AA795DA5FDD.html 

Destroy the VCHA configuration.
destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Replace certs.
Recreate the VCHA.

Hi Ajay

thank for sharing, last week i have renewal certificate VCHA based your recomendation. and work