Please enable Javascript for better experience...
 
Regenerate Self-Signed Certificate in vSphere 6.5
By Pranay Jha | Jan 24, 2020 | In Articles | Update: Jan 24, 2020 | Total Views [ 64249 ]
(3 Like)
Rate

Problem

All hosts in vCenter server are showing Red Alert and notification is “ESXi Host Certificate Status”

Error: ESXi Host Certificate Status

Solution

This issue is related to certificate being used for vSphere environment. To reach to a conclude of this problem, we have to look into Self-Signed VMCA root certificate.

Please note that Certificates are managed by PSC server. If you are using external PSC, then you have to login to PSC server. If PSC and vCenter is running on same server, then you will use same server to login. Follow below steps to find PSC server if you don’t know.

Step 1: To find PSC server, login to vCenter server using web client.

·        Select vCenter Server Name > Configure > Advanced Settings

·        In right side, you will get Search option. Type SSO in search option.

·        Check the value of config.vpxd.sso.admin.uri

·        This is your PSC Server.

 

Step 2: Check Existing Self-Signed Certificate Status

·        Login to PSC server using Web Client. (https://vi-psc-01/psc)

·        Under Certificates tab, Click on Certificate Store > At right panel under, drop down Store > Select TRUSTED_ROOTS. All existing certificates will be in this list.

·        Select Certificate and Click on Show Details. You can see that certificate is not valid.

Step 3: Check Threshold for Certificate Expire Notification

Now you might have question that if above certificate is valid till February 08, then why its showing error notification now (20th Jan – in our case)?

This is because of threshold value set for the notification. When this threshold is reached, the vCenter Server system displays red alarm about the certificates which is about to expire.

·        Login to vCenter Server. Click on vCenter Server > Configure > Advanced Settings > Check value for vpxd.cert.threshold

 

Step 4: Regenerate the VMCA Root Certificate with a new self-signed certificate

·        Open Putty and SSH to PSC server. Use root credentials to login.

login as: root

VMware vCenter Server Appliance 6.5.0.32000

Type: VMware Platform Services Controller

root@vi-psc-01's password:

Connected to service

    * List APIs: "help api list"

    * List Plugins: "help pi list"

    * Launch BASH: "shell"

Command> shell

Shell access is granted to root

·        Type below command to open certificate-manager for vCenter Server Appliance(VCSA)

o   root@vi-psc-01 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager

·        Select Option 4 to regenerate a new VMCA Root Certificate and replace all certificates

o   Option[1 to 8]: 4

o   Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

·        Please provide valid SSO and VC priviledged user credential to perform certificate operations.

o   Enter username [Administrator@vsphere.local]:administrator@vsphere.local

o   Enter password:

·        Please configure certool.cfg with proper values before proceeding to next step.

When ask for values, you can simply press ENTER key to leave default value for default Self-Signed certificate. However, if you want to use your own values, that’s your choice as per requirement.

o   Press Enter key to skip optional parameters or use Default value.

o   Enter proper value for 'Country' [Default value : US] : US

o   Enter proper value for 'Name' [Default value : CA] : CA

o   Enter proper value for 'Organization' [Default value : VMware] : VMware

o   Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : VMware Engineering

o   Enter proper value for 'State' [Default value : California] : California

o   Enter proper value for 'Locality' [Default value : Palo Alto] : Palo Alto

o   Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] :  127.0.0.1

o   Enter proper value for 'Email' [Default value : email@acme.com] : email@acme.com

o   Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vi-psc-01.vinsight.com

o   Enter proper value for VMCA 'Name' : vi-psc-01.vinsight.com

·        You are going to regenerate Root Certificate and all other certificates using VMCA

o   Continue operation : Option[Y/N] ? : Y

·        Stop vCenter services using below command.

o   root@vi-psc-01 [ ~ ]# service-control --stop –all

·        Start vCenter services using below command.

o   root@vi-psc-01 [ ~ ]# service-control --start –all

Step 5: Verify Certificate in PSC Server

·        Login to PSC server using Web Client. (https://vi-psc-01/psc)

·        Under Certificates tab, Click on Certificate Store > At right panel under, drop down Store > Select TRUSTED_ROOTS. All existing certificates will be in this list.

·        Select Certificate and Click on Show Details. You can see that certificate is valid.

Step 6: Enforce New Generated Certificate to all ESXi hosts

·        Login to vCenter Server using Web Client.

·        Click on each ESXi hosts > Configure > Certificate

·        Click on Renew Option.


Thanks for visiting here. Share this article if you found it useful.
Like Facebook Page https://www.facebook.com/VMwareInsight/
Connect to twitter https://twitter.com/imPranayK
Subscribe my Channel https://www.youtube.com/vmwareinsight
Connect over Linkedin https://in.linkedin.com/in/impranayk
Share this on Social Media

About the Author

Pranay Jha
Pranay Jha
Founder, Contributer VMwareInsight.com

Public profile: user/profile/99900000


Follow me

facebook linkedin twitter G+ VMTN youtube

Thank you for visiting my profile. I am Pranay Jha, bring along a total of 11+ years of extensive experience with me in Information Technology sector for organizations from small business to large enterprises, wherein my current assignment I am associated with IBM as a Technical Solution Architect for Virtualization platform. I am vExpert x 3 (16/17/18), VCIX-DCV, VCAP5/6-DCD, VCAP5-DCA, VCP7-CMA, VCP5/6-DCV, VCA-DCV, VCA-Cloud, VSP, VCE-CIA, MCITP, MCSE, MCSA(Messaging). I am also an Independent blogger and founder of http://vmwareinsight.com and https://cloudpathshala.com. I can be reached via email at pranay1988jha@gmail.com or Direct Message via Contact Us form.

 
Please SignUp/Login to comment...

Or comment as anonymous...
* Name
* Email ID
Comment
 
Sponsors
 
 
 
 
 
Facebook Likes