On your 1st VMware vCenter Server (VCSA), you can renew certificates used internally by clicking the "Renew All" link next to "Solution Certificates".
The message “Success, 4 certificates renewed” appears.
Do the same on your 2nd VMware vCenter Server (VCSA).
The message “Success, 4 certificates renewed” appears.
So that the new certificates for your VMware vCenter Servers (VCSA) can be used without any problem, you must add the certificate of your certification authorities in the "Trusted Root Certification Authorities" section of them.
To do this, start by exporting the certificate of your root certification authority.
You can find it on your root certificate authority (although it is likely offline if you have followed Microsoft best practices) or in the "Trusted Root Certification Authorities" certificate store on any computer or server who already trusts it.
To export it, simply right-click "All Tasks -> Export" on this certificate.
Export it in "base 64 (*.cer)" format.
Choose where and under what name you want to export it.
Next, export your secondary certificate authorities' certificate from the "Intermediate Certification Authorities" certificate store on that same computer or server.
Once the certificates are exported, you will get this.
In our case :
Now that you have the public certificates for your certificate authorities, go to your vCenter Server Certificate Management (VCSA) and add them to the "Trusted Root Certificates" section.
On each of your VMware vCenter Servers (VCSA), add your standalone root certificate authority certificate.
Next, on each of your VMware vCenter Server (VCSA) servers, add the certificate of your 1st secondary certificate authority.
As well as that of the 2nd secondary certification authority.
In fact, your 2 VMware vCenter Server (VCSA) servers share the same VMware vSphere SSO domain (vsphere.local) thanks to ELM mode.
However, given that the certificates of your 2 servers ("brux-vcsa" and "paris-vcsa" in our case) are signed by different secondary certification authorities, we recommend that you add the certificates of these 2 secondary certification authorities to avoid having problems connecting to VCSA later.
On our first VMware vCenter Server (VCSA) we have 5 approved certificates:
If you click on the "View details" link for the last 3 certificates visible above, you will see that this is the certificate for your standalone root CA.
In our case: InformatiWeb Root CA (Brux).
The certificate from your 1st enterprise secondary certificate authority.
In our case, that of our secondary certification authority "InformatiWeb Sub CA (Brux)" which was issued by our standalone root certification authority "InformatiWeb Root CA (Brux)".
The certificate from your 2nd secondary enterprise certificate authority.
In our case, that of our secondary certification authority "InformatiWeb Sub CA (Paris)" which was issued by our standalone root certification authority "InformatiWeb Root CA (Brux)".
For changes to the various certificates of your VMware vCenter Server (VCSA) to take effect, you must restart your VCSA server.
However, to make this faster, we recommend restarting only the VCSA services rather than restarting the virtual machine from your VMware ESXi host.
To do this, connect to your 2 VMware vCenter Server (VCSA) servers via SSH and access the Linux Shell by typing:
Plain Text
shell
Then restart all VCSA services using the commands:
Bash
service-control --stop --all service-control --start --all
Warning : if you use the "Mozilla Firefox" web browser, be aware that it uses a certificate store different from that of your computer or server.
You will therefore have to import the certificate of your different certification authorities (the root CA and the secondary CAs) so that it can consider the certificates emanating from your certification authorities as valid (if this is the case).
Once you reconnect to one of your VMware vCenter Servers (VCSA), you will see an error and warnings appear.
Plain Text
Certificate status. VMware vAPI Endpoint Service Health Alarm vCenter Server Health Alarm
This is due to the change of the machine certificate of your VMware vCenter Server (VCSA), as well as the restart of this VCSA server.
Click the "Reset to Green" links to ignore this error and warnings and stop them from appearing.
Note that your web browser no longer displays a warning about your VMware vCenter Server (VCSA) certificate.
If we check the certificate of our server "brux-vcsa" (which is located in Brussels), we can see that it was issued by our secondary certificate authority "InformatiWeb Sub CA (Brux)" (also located in Brussels) .
If we check the certificate of our server "paris-vcsa" (which is located in Paris), we can see that it was issued by our secondary certificate authority "InformatiWeb Sub CA (Paris)" (also located in Paris) .
VMware 1/20/2023
VMware 7/29/2022
VMware 6/15/2022
VMware 3/22/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
No comment