This article provides steps to regenerate the vSphere 6.x, 7.x, and 8.0 certificates using a new self-signed certificate in the VMware Certificate Authority (VMCA).

Note: This process can be useful to quickly recover from a scenario where the vCenter Server certificates have expired.

VMware vCenter Server 8.0
VMware vSphere 6.x
VMware vCenter Server 7.0.x

• Ensure that the STS certificate is valid before regenerating the certificate using Certificate Manager.
• If STS is expired or corrupted certificate regeneration will fail due to Service dependencies failure to start without a valid token.
• This task replaces the VMCA Root Certificate with a new self-signed certificate and then the MachineSSL and Solution User certificates with new certificates issued by the VMCA.
• If you are running an external Platform Services Controller, you need to run the vSphere 6.x Certificate Manager on the external vCenter Server 6.x and perform these tasks:
   
  • Replace Machine SSL certificate with VMCA Certificate (Option 3)
  • Replace Solution user certificates with VMCA certificates (Option 6)

Note: Certificate Replacement with the below steps will fail and rollback if the STS Certificate (Signing Certificate) is expired. Please follow KB Checking Expiration of STS Certificate on vCenter Server to verify the Validity of the STS Certificate, which includes the links to KBs for STS Certificate replacement if it is already expired.

Follow the below steps to replace other Certificates after replacing the STS Certificate.

Note: Please take a snapshot or a backup of the vCenter before proceeding.

To regenerate the vSphere 6.x certificates using a new self-signed VMware Certificate Authority certificate:

1. Launch the vSphere 6.x Certificate Manager.
   
   For vCenter Server 6.x/7.x Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
   For Windows vCenter Server 6.x: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    
2. Select Option 4 (Regenerate a new VMCA Root Certificate and replace all certificates)
   
   Note: You can also select Option 8 (Reset all Certificates). Both options perform the same functionality. (The difference is that option 8 does not perform automatic Rollback of the certificates).
   
   
    
3. Type the [email protected] password when prompted.
4. If this is the first time VMCA certificates are re-generated on this system, you are asked to configure the certool.cfg. On subsequent tasks, you are offered to re-use these values.
   
   Note: These values are used to define certificates issued by VMCA.
   
   Enter these values as prompted by the VMCA (See Step 5 to confirm the Name/Hostname/VMCA):
   
   Please configure certool.cfg file with proper values before proceeding to next step.
   Press Enter key to skip optional parameters or use Default value.
   Enter proper value for 'Country' [Default value : US] : (Note: Value for Country should be only 2 letters)
   Enter proper value for 'Name' [Default value : CA] :
   Enter proper value for 'Organization' [Default value : VMware] :
   Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
   Enter proper value for 'State' [Default value : California] :
   Enter proper value for 'Locality' [Default value : Palo Alto] :
   Enter proper value for 'IPAddress' [optional] :
   Enter proper value for 'Email' [Default value : [email protected]] :
   Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :
   Enter proper value for VMCA 'Name': (Note: This information will be requested from vCenter Server 6.0 U3, 6.5 and later builds, you may use the FQDN/PNID of vCenter Server for this field. It will be used as a Common Name for the VMCA Root Certificate)
    
5. Type Yes (Y) to the confirmation request to proceed.
   
   You are going to regenerate Root Certificate and all other certificates using VMCA
   Continue operation : Option[Y/N] ? : Y
   
   Note: This step automatically restarts the vCenter Server services. Also, the Name, Hostname and VMCA values should match the PNID of the Node where you are replacing the Certificates. PNID should always match the Hostname. In order to obtain the PNID please run these commands: 

   For vCenter Server Appliance (VCSA)

   /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
   
   

   For Windows vCenter Server

   C:\Program Files\VMware\vCenter Server\vmafdd\" vmafd-cli.exe get-pnid --server-name localhost

• VMware Skyline Health Diagnostics for vSphere - FAQ (81931)
• Updating External Solutions after replacing the vCenter Server SSL certificate (82038)
• How to use vSphere Certificate Manager to Replace SSL Certificates (2097936)
• Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)
• How to replace the vSphere 6.0 Solution User certs with VMCA issued certs (2112281)
• Regenerando os certificados do vSphere 6.0 usando um novo certificado autoassinado da VMware Certificate Authority (2132508)