I recently used the vSphere 7.0 Certificate Manager but unfortunately, not all self-signed certificates were renewed and I had to do quite a few additional tasks to renew the sts, encipherment and esxi certificates which is what I’ll try to describe below.
Table of Contents
Renew self-signed certificates – take I
My first stop was following the standard process and using the built-in vSphere 7.0 Certificate Manager which is referenced in How to use vSphere Certificate Manager to Replace SSL Certificates (2097936). The KB Article suggests that the vSphere Certificate Manager can be used to:
- Implement Default Certificates
- Replace the VMCA Certificate with a custom CA Certificate
- Replace all vSphere Certificates and Keys with custom CA Certificates and Keys
but in reality, it only managed to replace the VMCA and vCenter certificates and I’ve experimented with both options 4 and 8…
root@vcenter70 [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 7.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| NOTE: Solution user certs will be deprecated in a future |
| release of vCenter. Refer to release notes for more details.|
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:Renew the STS
Having renewed the certificates using the certificate manager above, I looked at the certificates listed under Certificate Management in the UI (Administration/Under Certificates, Certificate Management) and the STS Signing Certificate was showing as about to expire.
I followed Refresh a vCenter Server STS Certificate Using the vSphere Client which renewed the certificate and the expiry date updated accordingly (STS_CERT Valid until Feb 11, 2026) but unfortunately, below you will be able to see that there are further issues with STS Signing Certs & Signing Chains which are not visible in the UI 🙁
Renew ESXi certificates
I then followed Renew or Refresh ESXi Certificates which renewed the ESXi certificates in what appears to be a pretty straight-forward process.
Review certificate status
I used the command from Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x (2015600) to check the status of all certificates and noticed that there are several issues:
- two expired trusted root certificates in Store: TRUSTED_ROOTS
- one expiring __MACHINE_CERT in Store : STS_INTERNAL_SSL_CERT
- one data data-encipherment certificate in Store: data-encipherment
- and a bunch of others in the BACKUP_STORE which can be safely ignored
root@vcenter70 [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
[*] Store : MACHINE_SSL_CERT
Alias :__MACHINE_CERT
Not After : Feb 8 08:36:09 2026 GMT
[*] Store : TRUSTED_ROOTS
Alias :1e008aaadb27970437c5830f3088a0e295a50d7e
Not After : Feb 11 17:43:48 2024 GMT
Alias :fa33036ff223dcbc2299e1b6cb082d637b8a17c0
Not After : Feb 12 18:03:58 2024 GMT
Alias :2b4cedf0206efcccab833a3a55585b488eaf11be
Not After : May 9 12:27:25 2032 GMT
Alias :de435baf209e0a432922524bd6e3b78226554ba8
Not After : Feb 3 08:46:08 2034 GMT
[*] Store : STS_INTERNAL_SSL_CERT
Alias :__MACHINE_CERT
Not After : Feb 12 18:03:58 2024 GMT
[*] Store : machine
Alias :machine
Not After : Feb 8 08:36:26 2026 GMT
[*] Store : vsphere-webclient
Alias :vsphere-webclient
Not After : Feb 8 08:36:27 2026 GMT
[*] Store : vpxd
Alias :vpxd
Not After : Feb 8 08:36:28 2026 GMT
[*] Store : vpxd-extension
Alias :vpxd-extension
Not After : Feb 8 08:36:29 2026 GMT
[*] Store : SMS
Alias :sms_self_signed
Not After : Sep 22 15:35:47 2032 GMT
[*] Store : hvc
Alias :hvc
Not After : Feb 8 08:36:31 2026 GMT
[*] Store : data-encipherment
Alias :data-encipherment
Not After : Feb 11 17:43:48 2024 GMT
[*] Store : APPLMGMT_PASSWORD
Alias :location_password_default
[*] Store : wcp
Alias :wcp
Not After : Feb 8 08:36:32 2026 GMT
[*] Store : BACKUP_STORE
Alias :bkp___MACHINE_CERT
Not After : Feb 12 18:03:58 2024 GMT
Alias :bkp_machine
Not After : Feb 11 17:43:48 2024 GMT
Alias :bkp_vsphere-webclient
Not After : Feb 11 17:43:48 2024 GMT
Alias :bkp_vpxd
Not After : Feb 11 17:43:48 2024 GMT
Alias :bkp_vpxd-extension
Not After : Feb 11 17:43:48 2024 GMT
Alias :bkp_hvc
Not After : Feb 11 17:43:48 2024 GMT
Alias :bkp_wcp
Not After : Feb 11 17:43:48 2024 GMTRemove expired VMCA certificates
Luckily the following article covered in depth how to un-publish expired/expiring certificates from TRUSTED_ROOTS VECS Store: Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS) (2146011)
In a nutshell, the process involves three steps to:
- locate the certificate details
- export, unpublish and delete the old cert
- and force a refresh of VECS
In my case, the commands I had to use were these but you would need to follow KB2146011 to discover the details of your certs etc.:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id E6D7AA5F008AAD73F8587FD9BEF05D48348173C1 --login administrator@vsphere.local --password 'enter psw here' --outcert /tmp/oldcert.cer
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id E81D0CF5230893BA547647123ECB4C6A4FC675E5 --login administrator@vsphere.local --password 'enter psw here' --outcert /tmp/oldcert.cer
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias 1e008aaadb27970437c5830f3088a0e295a50d7e
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias fa33036ff223dcbc2299e1b6cb082d637b8a17c0
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
vCert
vCert is a powerful utility which carries out an in-depth certificate check as well as easily fixes issues.
vCert is an excellent tool although it is meant to be used by VMware support only, but you can find copies either online from third parties or obtain one as part of a VMware SR.
As always please ensure that you have a file-based backup of the appliance and a snapshot of this appliance and partner nodes if in enhanced linked mode etc.
Below I’ve used option 1 to check the status of the certificates and then option 6 to fix at least some of the issues identified.
root@vcenter70 [ /tmp ]# ./vCert
Loading...
vCenter 7.0 Certificate Management Utility (4.9.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 1
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:
Checking Certifcate Status
-----------------------------------------------------------------
Checking Machine SSL certificate VALID
Checking Solution User certificates:
machine VALID
vsphere-webclient VALID
vpxd VALID
vpxd-extension VALID
hvc VALID
wcp VALID
Checking SMS certificate VALID
Checking data-encipherment certificate EXPIRED
Checking Authentication Proxy certificate EXPIRED
Checking Auto Deploy CA certificate VALID
Checking BACKUP_STORE entries:
bkp___MACHINE_CERT 0 DAYS
bkp_machine EXPIRED
bkp_vsphere-webclient EXPIRED
bkp_vpxd EXPIRED
bkp_vpxd-extension EXPIRED
bkp_hvc EXPIRED
bkp_wcp EXPIRED
Checking legacy Lookup Service certificate 0 DAYS
Checking VMCA certificate VALID
Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
TenantCredential-1 signing certificate EXPIRED
TenantCredential-1 CA certificate EXPIRED
Checking TenantCredential-2:
TenantCredential-2 signing certificate VALID
TenantCredential-2 CA certificate VALID
Checking TrustedCertChain-2:
TrustedCertChain-2 signing certificate VALID
TrustedCertChain-2 signing certificate VALID
Checking CA certificates in VMDir [by CN(id)]
-----------------------------------------------------------------
874AC36753BEDF348606C4694B7AC7BEA323A8F0 VALID
79A112662E8D098E4BA084704AC4E4DDC5CF8E12 VALID
Checking CA certificates in VECS [by Alias]
-----------------------------------------------------------------
2b4cedf0206efcccab833a3a55585b488eaf11be VALID
de435baf209e0a432922524bd6e3b78226554ba8 VALID
Checking VECS Stores
-----------------------------------------------------------------
Checking status and permissions for VECS stores:
MACHINE_SSL_CERT OK
TRUSTED_ROOTS OK
TRUSTED_ROOT_CRLS OK
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
SMS OK
APPLMGMT_PASSWORD OK
data-encipherment OK
hvc OK
wcp OK
Checking Service Principals
-----------------------------------------------------------------
Node 8e30d332-959f-11e3-8997-000c29264a15:
machine PRESENT
vsphere-webclient PRESENT
vpxd PRESENT
vpxd-extension PRESENT
hvc PRESENT
wcp PRESENT
Checking Certificate Revocation Lists
-----------------------------------------------------------------
Number of CRLs in VECS 1
Checking SSL Trust Anchors
-----------------------------------------------------------------
pnl0003vsua9994.mgmt.test.corp VALID
Check vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) MATCHES
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) MATCHES
com.vmware.vim.eam (vpxd-extension) MATCHES
com.vmware.rbd (vpxd-extension) MATCHES
Checking VMCA Configurations in VCDB
-----------------------------------------------------------------
vpxd.certmgmt.certs.cn.country 'US'
vpxd.certmgmt.certs.cn.email 'vmca@vmware.com'
vpxd.certmgmt.certs.cn.localityName 'Palo Alto'
vpxd.certmgmt.certs.cn.organizationalUnitName 'VMware Engineering'
vpxd.certmgmt.certs.cn.organizationName 'VMware'
vpxd.certmgmt.certs.cn.state 'California'
vpxd.certmgmt.mode 'vmca'
------------------------!!! Attention !!!------------------------
- One or more certificates are expiring within 30 days
- One or more certificates are expired
vCenter 7.0 Certificate Management Utility (4.9.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 6
Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Machine SSL certificate OK
Backing up certificate and private key OK
Updating MACHINE_SSL_CERT certificate OK
legacy-lookup-service OK
Replace Solution User Certificates
-----------------------------------------------------------------
Verifying Service Principal entries exist OK
Generate new certificates and keys:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Backup certificate and private key:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Updating certificates and keys in VECS:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Updating solution user certificates in VMware Directory:
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
hvc OK
wcp OK
Replace Authentication Proxy Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Authentication Proxy certificate OK
Backing up certificate and private key OK
Replace certificate on filesystem OK
Replace Auto Deploy CA Certificate
-----------------------------------------------------------------
Regenerate Auto Deploy CA certificate OK
Backing up certificate and private key OK
Replace certificate on filesystem OK
Update vCenter Extension Thumbprints
-----------------------------------------------------------------
ESX Agent Manager FIXED
Auto Deploy FIXED
VMware Update Manager FIXED
vSAN Health FIXED
Authentication Proxy FIXED
Replace SSO STS Signing Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate STS signing certificate OK
Backup and delete tenant credentials OK
Backup and delete trusted cert chains OK
Add new STS signing certifcate to VMDir OK
Update SSL Trust Anchors (pnl0003vsua9994.mgmt.test.corp)
-----------------------------------------------------------------
Updating service: BFR-TEST:2c81d843-5953-4fa0-93b1-b4aeb868c7c9
Updating service: BFR-TEST:6af31437-b47a-4ec7-a576-cb999731ef11
Updating service: BFR-TEST:eb135d87-f7fc-4ad8-8720-32479452381b
Updating service: 04e46b02-0d64-4fe0-8c24-b04bacb5a1cb
Updating service: 0BC02CCF-5D6A-4033-8E9E-5584659598FF
Updating service: 1216e0fd-7962-481b-a0e2-6820a0014323
Updating service: 125b0dd9-77ac-47c4-8eb2-bc55974d585a
Updating service: 17ffefa6-49a8-49ff-9487-18ff25ab5eed
Updating service: 1e3c845b-e069-4a95-b9fd-7dd6efbffc42
Updating service: 1e6bd08b-aed2-4162-87dd-111086a21ddb
Updating service: 3cb8d39a-81cc-48ba-881a-1cd2b0926995
Updating service: 3f3b65c9-894e-452e-a49f-d8bd46f87706
Updating service: 458d00dd-308f-41e5-8142-398ae39578d9
Updating service: 5a7fdba5-516a-40d1-b3f3-0725d9d35bbf
Updating service: 5b5ce0ef-681e-4d60-8653-faa41db4d190
Updating service: 5cfb7743-3300-4309-b815-355ae1dd2e56
Updating service: 5fa99d70-e3aa-4d95-9036-7e0046fd6dd7
Updating service: 735b0dec-3e3e-4975-8c76-1497318df58e
Updating service: 77a96f0f-4013-4f5c-9932-53f6c9ef7ed5
Updating service: 78aa7668-b6a1-427f-810c-2578d6da9691
Updating service: 79caa8e3-3907-42b6-9927-da53cc045802
Updating service: 7c05a6e3-3e07-4c40-94c6-cc6734a479e1
Updating service: 8983b787-5499-4182-82fa-7d6877fd42d8
Updating service: 89e8cb63-7f1b-4a85-98be-0d08b414a653
Updating service: 8e3150bd-254c-45c0-a90a-1cbd6017a3d7
Updating service: 9b0febc9-e124-41fd-ab29-4ea91caa6d90
Updating service: a0de4134-af13-4247-a6b0-3571105bcee6
Updating service: afc7c7eb-4a9d-4b1f-839b-9c5ff8a93a47
Updating service: b2d5aef7-c030-4549-b092-f9f1b521dbe1
Updating service: b6378cc8-bcae-4a4d-8718-9e93327d52fd
Updating service: b9cbf537-542e-4d8c-b02f-09b64a8ea96b
Updating service: c3d7bdfb-edad-460f-a05c-72fa113c11f3_authz
Updating service: c3d7bdfb-edad-460f-a05c-72fa113c11f3
Updating service: c3d7bdfb-edad-460f-a05c-72fa113c11f3_kv
Updating service: c48ca7c8-6558-41f5-a3f1-bd6fac207b7b
Updating service: cbfb5012-0332-48e4-8203-c69251ebe0e9
Updating service: d2e8578d-d13c-4bdd-9f81-206d1a8e4a00
Updating service: dbeb8989-0349-4ed7-afd5-a7d1373cea26
Updating service: e6f5b4d4-3eac-412b-a0d7-536d70e81813
Updating service: e6fe4db7-91a6-4506-baa4-f7787e13439d
Updating service: e8b4575a-5f29-4c3a-a556-02b104bca231
Updating service: e9ae380a-dfce-4184-b91d-5840fead03fb
Updating service: ef99335a-cbb3-4f95-9de6-f72444e66c75
Updating service: fbdf3950-8027-48c5-9785-9864e4d71a1b
Updated 44 service(s)
Restart VMware services [no]: ^Z
[1]+ Stopped ./vCert
root@vcenter70 [ /tmp ]# service-control --stop --all
Operation not cancellable. Please wait for it to finish...
...
root@vcenter70 [ /tmp ]# service-control --start --all
Operation not cancellable. Please wait for it to finish...
...
You can open a second putty windows and monitor the services as they come online like this:
root@vcenter70 [ ~ ]# watch service-control --status --allRenew the encipherment certificate
Initially, the vCenter 7.0 Certificate Management Utility (4.9.0) showed ‘Checking data-encipherment certificate EXPIRED’ so I had to use the following article How to replace an expired data-encipherment certificate on vCenter Server (88548), which includes a neat script fix_encipherment_cert.sh to replace the certificate – all I had to do is copy the script to the appliance and ensure that it can be executed:
- To allow you to use the likes of WinSCP to copy files to the appliance you can SSH to the appliance and run ‘chsh -s /bin/bash root’.
- Then to allow the script to be executed run the following ‘chmod +x fix_encipherment_cert.sh’
Finally when you run fix_encipherment_cert.sh, it will first delete and then generate a new certificate:
root@vcenter70 [ /tmp ]# ./fix_encipherment_cert.sh
Replacing Certificate in data-encipherment VECS Store
Detected PNID: vcenter70.test.corp
Detected PSC: vcenter70.mgmt.test.corp
Taking backup of old certificate and private key to /tmp directory
Deleting the existing certificate from the VECS store
Deleted entry with alias [data-encipherment] in store [data-encipherment] successfully
Generating new certificate using the existing private key and add to the VECS store
Status : Success
Listing the new certificate in VECS Store
Alias : data-encipherment
Serial Number:
Not Before: Feb 12 13:29:04 2024 GMT
Not After : Feb 3 08:46:08 2034 GMT
Subject: CN=data-encipherment, DC=vsphere, DC=local, C=US, OU=mID-8e30d332-959f-11e3-8997-000c29264a15
*************************************************************************************************************************
Completed the script execution, please follow the manual steps in case the script fails to replace the Certificate
VPXD Service needs to be restarted for the changes to take effect, otherwise Guest OS Customizations might fail
Please execute following command to restart the service:
service-control --stop vpxd && service-control --start vpxd
*************************************************************************************************************************
root@vcenter70 [ /tmp ]# service-control --stop vpxd && service-control --start vpxd
Operation not cancellable. Please wait for it to finish...
Performing stop operation on service vpxd...
Successfully stopped service vpxd
Operation not cancellable. Please wait for it to finish...
Performing start operation on service vpxd...
Successfully started service vpxdLast but not least, there is one service ‘vpxd’ which needs to be restarted but the script reminds you of that and supplies the command to do so too!
Check the certificate status one more time
As you can see from the following all certificates are now valid except the ones which start with ‘bkp_’ but that is to be expected:
root@vcenter70 [ /tmp ]# ./vCert
Loading...
vCenter 7.0 Certificate Management Utility (4.9.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 1
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:
Checking Certifcate Status
-----------------------------------------------------------------
Checking Machine SSL certificate VALID
Checking Solution User certificates:
machine VALID
vsphere-webclient VALID
vpxd VALID
vpxd-extension VALID
hvc VALID
wcp VALID
Checking SMS certificate VALID
Checking data-encipherment certificate VALID
Checking Authentication Proxy certificate VALID
Checking Auto Deploy CA certificate VALID
Checking BACKUP_STORE entries:
bkp___MACHINE_CERT 0 DAYS
bkp_machine EXPIRED
bkp_vsphere-webclient EXPIRED
bkp_vpxd EXPIRED
bkp_vpxd-extension EXPIRED
bkp_hvc EXPIRED
bkp_wcp EXPIRED
Checking legacy Lookup Service certificate VALID
Checking VMCA certificate VALID
Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
TenantCredential-1 signing certificate VALID
TenantCredential-1 CA certificate VALID
Checking TrustedCertChain-1:
TrustedCertChain-1 signing certificate VALID
TrustedCertChain-1 signing certificate VALID
Checking CA certificates in VMDir [by CN(id)]
-----------------------------------------------------------------
874AC36753BEDF348606C4694B7AC7BEA323A8F0 VALID
79A112662E8D098E4BA084704AC4E4DDC5CF8E12 VALID
Checking CA certificates in VECS [by Alias]
-----------------------------------------------------------------
2b4cedf0206efcccab833a3a55585b488eaf11be VALID
de435baf209e0a432922524bd6e3b78226554ba8 VALID
Checking VECS Stores
-----------------------------------------------------------------
Checking status and permissions for VECS stores:
MACHINE_SSL_CERT OK
TRUSTED_ROOTS OK
TRUSTED_ROOT_CRLS OK
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
SMS OK
APPLMGMT_PASSWORD OK
data-encipherment OK
hvc OK
wcp OK
Checking Service Principals
-----------------------------------------------------------------
Node 8e30d332-959f-11e3-8997-000c29264a15:
machine PRESENT
vsphere-webclient PRESENT
vpxd PRESENT
vpxd-extension PRESENT
hvc PRESENT
wcp PRESENT
Checking Certificate Revocation Lists
-----------------------------------------------------------------
Number of CRLs in VECS 1
Checking SSL Trust Anchors
-----------------------------------------------------------------
vcenter70.test.corp VALID
Check vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) MATCHES
com.vmware.vsan.health (Machine SSL) MATCHES
com.vmware.vim.eam (vpxd-extension) MATCHES
com.vmware.rbd (vpxd-extension) MATCHES
com.vmware.vmcam (Authentication Proxy) MATCHES
Checking VMCA Configurations in VCDB
-----------------------------------------------------------------
vpxd.certmgmt.certs.cn.country 'US'
vpxd.certmgmt.certs.cn.email 'vmca@vmware.com'
vpxd.certmgmt.certs.cn.localityName 'Palo Alto'
vpxd.certmgmt.certs.cn.organizationalUnitName 'VMware Engineering'
vpxd.certmgmt.certs.cn.organizationName 'VMware'
vpxd.certmgmt.certs.cn.state 'California'
vpxd.certmgmt.mode 'vmca'
------------------------!!! Attention !!!------------------------
- One or more certificates are expiring within 30 days
- One or more certificates are expired
vCenter 7.0 Certificate Management Utility (4.9.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: E