By default, 30 days threshold is configured. Find Certificate Status alarm definition, ensure it is enabled, and specify the actions to be triggered. Select the vCenter Server object, then select the Monitor tab, the Issues subtab, and Alarm Definitions in the left column.Ģ1. Restart the VAMI service: /etc/init.d/vami-lighttp restartĮngineer’s note: You may also find useful to modify an alarm definition “Certificate Status” to send a trap or email if certificate is to expire soon.Add the entry: ssl.ca-file=”/etc/applmgmt/appliance/ca.crt”.Open the /opt/vmware/etc/lighttpd/nf file using a text editor.Copy CA cert chain to: /etc/applmgmt/appliance/ca.crt.Log in to the vCenter Server Appliance via SSH.After machine vCSA certificate is replaced, you may also find that vCenter VAMI is not accessible.Once all services have restarted, connect to the Web Console with browser and verify your new certificate. 16.Once the operation status is 100% completed make sure to restart all the services:Įngineer’s note : If certificate update fails due to specific plugin, disable the plugin and re-run import once again. Then specify the signed certificate, the private key, and the CA certificate location. And now, choose option 2 to import custom certificates.ġ4. Enter SSO and VC administrator credentials (default: ). Choose option 1: Replace Machine SSL certificate with Custom Certificate. Run /usr/lib/vmware-vmca/bin/certificate-manager 13. Upload signed machine certificate file and CA certificate file to the vCSA, i.e. Additionally, machine certificate files should be a full chain for certificate, intermediate certificate(s), and root certificate. Download/export the certificate in base-64 formatĮngineer’s note : If you have one or more intermediate certificate authorities, the root certificate file should be a chain of all intermediate CA and Root CA certificates. Go and submit your CSR file to your certificate authority (CA). If you cannot access vCSA via SSH with WinSCP, run the following command to change default shell to Bash: chsh -s /bin/bash rootĩ. Download /tmp/vmca_issued_csr.csr file with any tool you use, i.e. Signing request and private key is generated and located in /tmp folder. VMCA Name: FQDN of your VMCA (typically use FQDN of your vCSAĦ. Then, Certificate Manager will prompt to specify the following values: Then again, choose option 1 to Generate CSR and Keys for Machine SSL certificate.Ĥ. Choose option 1: Replace Machine SSL certificate with Custom Certificateģ. This will replace the expired certificate with the previous configuration and will make your vCenter functional, so that you may proceed with steps below later. You will see vSphere Certificate Manager with multiple options to select.Įngineer’s note : In case of an emergency, no accessibility to issue a certificate, or your previous certificate was VMware self-signed (typically certificate valid for 10 years): You may try to revert back by choosing option 7 of Certificate Manager. Run /usr/lib/vmware-vmca/bin/certificate-manager.Generate a certificate signing request (CSR) With some minor changes, they also may be considered for any vCSA version from 6.0 to 6.7. How to recover a vCenter machine certificate to a fully functional stateīelow are the steps our Dasher engineers followed to recover VMware vCenter 6.5 to fully functional state. In this case, our client could not login vCenter, manage it and other third party integration plugins, or backup software failed with tasks. When a vCenter machine certificate expires, most communication and services will not work properly and fail to function (due to multiple services that are assigned to use that certificate for secure communication). This expired certificate was not self-signed or automatically created during new vCenter installation, but instead issued by a trusted certificate authority (CA).ĭasher’s expert engineers recommend replacing the certificate on your vCenter and checking the expiration date to prevent a vCenter outage. The platform became unavailable because the certificate expired. Recently, one of our clients experienced an issue with VMware vCenter 6.5. While VMware vCenter provides a centralized platform for managing across the hybrid cloud, an expired certificate can turn into an IT nightmare. How to avoid expired certificates Denis Kazakov, Solution Engineer
0 Comments
Leave a Reply. |