VMware vCenter

 View Only
  • 1.  vcenter 7.0u3v Self Signed certfiicate upgrade

    Posted Jun 06, 2025 01:51 PM

    All of my self signed certs including the trusted root certs are going to expire in the next week. 

    I was instructed to run the cert manager via option 8 to get all certs replaced. 

    This did update all certs in vcenter but didt not update the STS cert. Do i just need need to go to vcenter-->administration-->certificate management-->click my sts certificate -->actions and choose refresh with vcenter certificate? I assume that means it will refresh with the _Machine-Cert with the new date to match it. 

    IS this the proper process for the STS one? The tech i am working with is out today (of course). I have tried to escalate the case a couple of times have asked for an update 3 or 4 times and havent heard back yet. 

    Also when running option 8 i can see that it generated a new trusted root cert. The other 2 that were there prior are still there. How can i tell if the environment is using the new cert for sure?

    Right now all my hosts are still showing red/critical due to the certificate. I assume this is due to the STS cert date not updating yet but i want to rule out that it is reading the correct trusted root cert and not one of the old ones that is listed. 



  • 2.  RE: vcenter 7.0u3v Self Signed certfiicate upgrade

    Posted Jun 09, 2025 09:27 AM

    ou're correct running Option 8 in the certificate-manager regenerates all certificates except the STS certificate. That one needs to be refreshed manually via the vSphere Client.

    Yes, the right process for the STS cert is:
    vSphere Client → Administration → Certificate Management → STS Certificates → Actions → "Refresh STS Root Certificate", and select "Use vCenter Machine Certificate".

    This will update the STS chain to match the machine cert, including the new root. It's critical that the STS cert's validity period aligns with the Machine SSL certificate, otherwise host trust issues will persist which explains the red/critical status you're seeing.

    To confirm the environment is using the new cert:

    • From the vCenter shell, run:

      openssl x509 -in /var/lib/vmware/vmca/root.cer -text -noout 

      and check the validity period and issuer.

    • You can also validate the STS cert itself:

      /usr/lib/vmware-vmca/bin/certool --getsts

    If you still see multiple root certs under "Trusted Root Chains", that's fine vCenter keeps old ones until they're explicitly removed. What matters is that the active chain (used for STS and machine certs) matches the newly issued root.




  • 3.  RE: vcenter 7.0u3v Self Signed certfiicate upgrade

    Posted Jun 09, 2025 05:38 PM

    Last time, I used the method described in this KB to check and replace the STS certificate: https://knowledge.broadcom.com/external/article/318968
    ...but it seems that the script from the KB is deprecated and points to the new certificate management tool (vCert): https://knowledge.broadcom.com/external/article/385107




  • 4.  RE: vcenter 7.0u3v Self Signed certfiicate upgrade

    Posted Jun 10, 2025 09:36 AM

    Thx. 

    I actually was able to get ahold of support and they ran a script fixsts.sh in order to address the date. They had mentioned that you can do it through the gui but it can often fail. 

    Either way, that fixsts.sh seemed to work as expected. I am montioring now to make sure things are ok after the expiry date.