I have a client with a vcenter instance (7.0.3) that is expiring its Self Signed certs soon in 2025. Im trying to get them updated before they expire and i have a few questions.
The Trusted Root CA has 2 instances listed one that says it expires in 2025 which it tied to an old external PSC. How do i confirm this is or is not currenlty in use? The other Root CA cert that is listed in Certificate Management doesnt expire until 11/2030 and i assume thats the one my environment is using. How do i confirm this for sure?
I suspect the second 2030 cert is from an previous upgrade of the VCSA and when our old External PSC was combined back into the VCSA as part of the upgrade at that time.
If i can determine that this old cert is not needed and my environment is only using the newer 2030 certificate i then need to worry about the remaining certs.
Here they are and here are their dates:
- Trusted Root CA (already covered above): 10/2025 and 11/14/2030
- STS Signing Cert: 10/2025
- VMware Cert Authority: 4/2030
- Machine Cert: 2/2025
As you can see the STS cert and the machine cert will expire in 2025.
The system is running 7.0.3 and is at the current patch level.
Under the STS Signing Cert i can see the option to "refresh with vcenter certificate"
I believe that will update that cert to the same date as the VMware Certificate Authority date (4/2030). Is that correct?
Should i do that first and reboot as needed and then update the Machine Cert as needed by going to Actions-->Renew.....and reboot again?
Would that be all thats needed to get current with all my certs?
Questions:
- How do i confirm my 2025 Root CA with the old PSC name is no longer in use and that the other 2030 cert is the only one being used?
- How do i update my STS certificate? I know that 8.0 will automatically update the sts cert and i thought in that 7 you needed to run a script etc but in my case Im on the latest version of 7.0.3 i can can see a "refresh with vcenter certificate" option in the Certificate Management area of vCenter.. IM almost certain thats the path i want to take to update that to the same dates as my Vmware Certificate Authority certificate dates shown above. (followed by a reboot of course).
- The Machine SSL Certificate: Should this be done before the STS certificate in this case or after the STS cert has been updated? C;early i do need to update both of them soon so they will both need to be done.
- This particular vCenter is AD joined. IT has been since configured to use LDAPs. Will replacing any certs affect the domain joined status or LDAPs settings or any permissions or roles on vcenter from the configured domain? I dont think this would be affected but thought i would ask.
My plan would be to find the answers to the questions above and then execute as follows:
- Back up vCenter natively
- Snapshot the vCenter VM
- Stop any backups to avoid conflicts and issues
- Issue the STS refresh with vCenter Cert option in the certificate manager.
- Wait until complete
- reboot vcenter
- Login and confirm cert dates updated for the STS Cert which should match the VMware Certificate Authority cert dates
- Using the certificate manager go to actions and renew for the machine certificate
- wait for it to complete
- Reboot vcenter
- Log back into vcenter and confirm new 2+year date for the machine cert.
- Login to the 5480 portal and confirm everything is healthy and all services have started
- Reconnect any items that connect to vcenter such as backups and plugins to allow them to get the new cert and continue to work as expected.
- Confirm everything is working as expected without any errors. Eventually clean up any outstanding snaphots once it is confirmed that all is working as expected.
Can someone please address my questions above to make sure i have the process correct? Thanks in advance.