vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
search cancel

vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller

book

Article ID: 320707

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or VMware vCenter Support Assistant are always installed on a different machine than the associated vCenter Server system or Platform Services Controller that manages the certificates for the solution.
 
If you replace the Machine SSL certificate of a vCenter Server system or a Platform Services Controller in an environment with an External Platform Services Controller, a connection error results when the solution attempts to connect to the vCenter Server. The reason is that the vCenter Server and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you have replaced the certificate successfully.
 
This KB article explains how to resolve the issue in environments with an External Platform Services Controller.
Warning (vSphere 6.0 only):

Ensure the ls_update_certs.py is used from a PSC residing in the same site where VC/PSC registrations are getting updated with new ssltrust.
 
If you are running a Platform Services Controller version 6.0 Windows installation, you must replace the lstoolutil.py file with the file included in this article before you run the ls_update_certs.py script. You do not have to replace the file if you are running vSphere 6.0 Update 1.

To replace the lstoolutil.py file:
  1. Back up the existing "%VMWARE_CIS_HOME%"\VMware Identity Services\lstool\scripts\lstoolutil.py file. By default, this location is C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\.
  2. Download the attached 2121701_lstoolutil.py.zip file.
  3. Extract the lstoolutil.py file from the 2121701_lstoolutil.py.zip file in to "%VMWARE_CIS_HOME%"\VMware Identity Services\lstool\scripts\.


Environment

VMware vCenter Server 6.5.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.7.x

Resolution

This issue is resolved in vCenter Server 6.0 Update 1b, available at VMware Downloads. For more information, see VMware vCenter Server 6.0 Update 1b Release Notes.
 
Notes:
  • Installing vCenter Server 6.0 update 1b on a system that is affected does not resolve the issue until you replace the certificates again.
  • The update resolves the issue for certificate replacement with the Certificate Manager utility. The update does not resolve the issue for certificate replacement from the Services Controller UI.
To work around this issue for environments with an external Platform Services Controller, you must update the lookup service registration for both the vCenter Server system and the Platform Services Controller each time you replace a certificate. You update the service registration with the ls_update_certs.py script.

Notes:
  • Run this script always on the Platform Services Controller.
  • To run the script, you need the thumbprint of the old vCenter Server certificate and you need the new certificate. You must upload these certificates to the Platform Services Controller before you run the script.
  • Be sure to back up your existing certificates before you run the script.
  • Run this script each time you replace a certificate.

Solution Overview

How you run the script depends on where you replaced the machine SSL certificate.
 
Certificate replaced on Platform Services Controller only
Run the script on the Platform Services Controller, passing in the old and the new certificate for the Platform Services Controller.
Certificate replaced on vCenter Server system only
Run the script on the Platform Services Controller, passing in thumbprint of the old vCenter Server certificate and the new vCenter Server certificate
Certificates replaced on both vCenter Server system and Platform Services Controller
Run the script on the Platform Services Controller twice. Ideally, you run the script once after you replace the Platform Services Controller certificate, and again after you replace the vCenter Server certificate.
 

 

Task 0: Validating the sslTrust Anchors for the PSC and vCenter

Validating the sslTrust Anchors from Command Line on the PSC Appliance
  1. Log in to the External Platform Services Controller Appliance via SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true
     
  3. Type shell and press Enter.

    If you have replaced the SSL certificates on their Platform Services Controllers:
     
    1. Run this command to get the current sslTrust anchor stored for the Platform Services Controller:

      /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null

      For example:

      Note: The SSL trust was truncated for readability.

      Service Product: com.vmware.cis
      Service Type: cs.identity
      Service ID: 04608398-1493-4482-881b-b35961bf5141
      Site ID: vmware
      Owner ID: [email protected]
      Version: 2.0
      Endpoints:
      Type: com.vmware.cis.cs.identity.sso
      Protocol: wsTrust
      URL: https://homepsc.vmware.local/sts/STSService/vsphere.local
      SSL trust: MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV ... LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

       
    2. Run this command to get the current SSL certificate used on port 443 on the Platform Services Controller:

      echo | openssl s_client -connect localhost:443

      For example:

      Note: The actual string was shortened significantly to improve readability.

      CONNECTED(00000003)
      depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
      verify return:1
      depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
      verify return:1
      depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      verify return:1
      depth=0 /CN=psc.vmware.local/C=US
      verify return:1
      ---
      Certificate chain
      0 s:/CN=psc.vmware.local/C=US
      i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
      ...
      LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

      -----END CERTIFICATE-----
       
    3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining VC nodes.

      echo | openssl s_client -connect vcenter2.vmware.local:443
       
    4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the returned SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.
       
    If you have replaced the SSL certificates on their vCenter Servers:
    1. Run this command to get the current sslTrust anchor stored for the vCenter Servers:

      /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.vim 2>/dev/null

      For example:

      Note: The SSL trust was truncated for readability.

      Name: AboutInfo.vpx.name
      Description: AboutInfo.vpx.name
      Service Product: com.vmware.cis
      Service Type: vcenterserver
      Service ID: e29107d1-565d-436e-a0ed-6ecf1eb613a7
      Site ID: site
      Node ID: ffd86dd8-3f01-11e5-a40a-0050569c12c2
      Owner ID: [email protected]
      Version: 6.0
      Endpoints:
      Type: com.vmware.vim
      Protocol: vmomi
      URL: https://vcenter.vmware.local:443/sdk
      SSL trust: MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV...v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

       
    2. Run this command to get the current SSL certificate used on port 443 on the vCenter Server:

      echo | openssl s_client -connect vcenter_server_FQDN:443

      Use this example as a model:

      Note: The actual string was shortened significantly to improve readability.

      CONNECTED(00000003)
      depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
      verify return:1
      depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
      verify return:1
      depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      verify return:1
      depth=0 /CN=vcenter.vmware.local/C=US
      verify return:1
      ---
      Certificate chain
      0 s:/CN=vcenter.vmware.local/C=US
      i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      1 s:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      i:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
      2 s:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
      i:/DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
      ---
      Server certificate
      -----BEGIN CERTIFICATE----
      MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
      ...
      v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

      -----END CERTIFICATE-----

       
    3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining VC nodes.

      echo | openssl s_client -connect vcenter2.vmware.local:443
       
    4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.
     
    Validating the sslTrust Anchors from the Command Line on a Windows PSC Installation
    1. Connect to the External Platform Services Controller using a remote desktop connection and administrator credentials.
    2. Click Start > run, type cmd and press OK.
      If you have replaced the SSL certificates on their Platform Services Controllers:
      1. Run this command to get the current sslTrust anchor stored for the Platform Services Controller:

        "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2> NULL


        For example:

        Note: The SSL trust was truncated for readability.

        Service Product: com.vmware.cis
        Service Type: cs.identity
        Service ID: 04608398-1493-4482-881b-b35961bf5141
        Site ID: vmware
        Owner ID: [email protected]
        Version: 2.0
        Endpoints:
        Type: com.vmware.cis.cs.identity.sso
        Protocol: wsTrust
        URL: https://psc.vmware.local/sts/STSService/vsphere.local
        SSL trust: MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV ... LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

         
      2. Run this command to get the current SSL certificate used on port 443 on the Platform Services Controller:

        "%VMWARE_OPENSSL_BIN%" s_client -connect localhost:443

        For example:

        CONNECTED(00000003)
        depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
        verify return:1
        depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
        verify return:1
        depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
        verify return:1
        depth=0 /CN=psc.vmware.local/C=US
        verify return:1
        ---
        Certificate chain
        0 s:/CN=psc.vmware.local/C=US
        i:/C=US/DC=vsphere/DC=local/O=psc.fvmware.local/CN=CA
        ---
        Server certificate
        -----BEGIN CERTIFICATE-----
        MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
        ...
        LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

        -----END CERTIFICATE-----

         
      3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining vCenter Server nodes.

        "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter2.vmware.local:443
         
      4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your Platform Services Controller(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.
         
        If you have replaced the SSL certificates on their vCenter Servers:
        1. Run this command to get the current sslTrust anchor stored for the vCenter Servers:

          "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.vim 2> NULL

          For example:

          Note: The SSL trust was truncated for readability.


          Name: AboutInfo.vpx.name
          Description: AboutInfo.vpx.name
          Service Product: com.vmware.cis
          Service Type: vcenterserver
          Service ID: e29107d1-565d-436e-a0ed-6ecf1eb613a7
          Site ID: vmware
          Node ID: ffd86dd8-3f01-11e5-a40a-0050569c12c2
          Owner ID: [email protected]
          Version: 6.0
          Endpoints:
          Type: com.vmware.vim
          Protocol: vmomi
          URL: https://vcenter.vmware.local:443/sdk
          SSL trust: MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV...v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

           
        2. Execute the command to get the current SSL certificate used on port 443 on vCenter Server:

          "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter_server_FQDN:443

          Use this example as a model:

          Note: The actual string was shortened significantly to improve readability.

          CONNECTED(00000003)
          depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
          verify return:1
          depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
          verify return:1
          depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
          verify return:1
          depth=0 /CN=vcenter.vmware.local/C=US
          verify return:1
          ---
          Certificate chain
          0 s:/CN=vcenter.vmware.local/C=US
          i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
          1 s:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
          i:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
          2 s:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
          i:/DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
          ---
          Server certificate
          -----BEGIN CERTIFICATE----
          MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
          ...
          v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

          -----END CERTIFICATE-----

           
        3. If you have more than one PSC in a vSphere domain, repeat the command using the FQDN for any remaining PSC nodes.

          "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter2.vmware.local:443
           
        4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.

        Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB)

        You can retrieve the old certificate for the vCenter Server system by connecting to the Platform Service Controller using the Managed Object Browser. You must find the sslTrust field of the ArrayOfLookupServiceRegistrationInfo managed object by performing this procedure:

        1. Create a directory to store the old certificates on the Platform Services Controller. For the guidance in this article, we will be using the following locations:
           
          Platform Services Controller Appliance/certificates/
          Platform Services Controller on WindowsC:\certificates\
        2. To open the MOB, go to https://psc.example.com/lookupservice/mob?moid=ServiceRegistration&method=List in a browser.
        3. Log in with the [email protected] username and password when prompted for credentials.
          If you are using a custom name for your vCenter Single Sign-On domain, use that user name and password.
        4. In the filterCriteria text field, modify the value field to show only the tags <filterCriteria></filterCriteria> and click Invoke Method.
          This displays the ArrayOfLookupServiceRegistrationInfo objects.
        5. Search for the following depending on which certificates are replaced:
           
          vCenter ServerSearch (Ctrl+F) for vc_hostname_or_IP.example.com on the page
          Platform Services ControllerSearch (Ctrl+F) for psc_hostname_or_IP.example.com on the page
        6. Find the value of the corresponding sslTrust field. The content of that field is the Base64 encoded string of the old certificate.

          Use the following examples as models when updating your Platform Services Controller or vCenter Server trust anchors.

          Note: The actual string was shortened significantly to improve legibility

          For vCenter Server:
          sslTrustArrayofString

          MIIDfjCCAmag...

          urlanyURIhttps://vcenter.vmware.local:443/sdk

          For Platform Services Controller:
          sslTrustArrayofString

          MIIDfjCCAbad...

          urlanyURIhttps://psc.vmware.local/sts/STSService/vsphere.local
        7. Copy the content of the sslTrust field into a text document. Save this document as old_machine.txt.
        8. Open the old_machine.txt in a text editor.
        9. Append -----BEGIN CERTIFICATE----- to the beginning of the text string, and append -----END CERTIFICATE----- to the end of the text string. Add a carriage return after the 64th character of the contents copied from the sslTrust field.

          For Example:

          -----BEGIN CERTIFICATE-----
          LIIDeDCCAmCgAwIBAgIJAP7kGwWSSd0yMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
          PAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
          QWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTaG9tZXBzYy5mcml0ei5sb2Nh
          NDAeFw0xNTA4MTAwMDMwMjZaFw0yNTA4MDQwMDMwMjVaMCsxHDAaBgNVBAMME2hv
          HWVwc2MuZnJpdHoubG9jYWwxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF
          LAOCAQ8AMIIBCgKCAQEAzuf/uVMLwlkUKsMXsUPigqZdrXKzEOEzOQ04q8YgVvDX
          w7MAPSTMZzeUsI6P+/4doZU14zAQTl/6dnbwYg65p9mv7CVJb4QgAJH9xFD+33Ab
          aQX7za/bWPgyxsPtccnn+si8QQDx9mMZbDzF0gjdARvpKWwVv4lln8iZ8wUahyC7
          bxnzc5/oWo4Z3DTruHMnvadHRZWzZTn8YeID06R2g8Yu5c50wXbAvNj3TE4x0Qyv
          fUbABXvv2EdYC5tb3g++L6A6tuWYgl+dr4KJ1G5gLvliECAsWsMwtQXq5nH65JdV
          XvRUVIlajC9OavGkd+ziT3yRibJBu2NJrLQp7ehgmQIDAQABo2IwYDAeBgNVHREE
          FzAVghNob21lcHNjLmZyaXR6LmxvY2FsMB0GA1UdDgQWBBSaRwv8djR7+qg7Wk3A
          zib3C3ArljAfBgNVHSMEGDAWgBRkYn4wsyRye8o14OoE3AOTMus6rzANBgkqhkiG
          9w0BAQsFAAOCAQEAU3X/ZEDXO8yDRJkjrQH0acxoc76QRDv+3s6yCpPFU8HmqU1E
          LmoDq67rHoKZw5ziBR/lGHn5oVHYYuJRFdO/b8NO1t2MnedhAaenqmAr4v0FzH6K
          UCgiLq8+ZMPFBz3qFu2i0I8mG6Yy0ud9T4wWUabgZ1C3sDNkQ+NLHXKVxNrPwgQd
          3KyrNpXgBQ0+ZWY3xvvdW5yOwnWkeAeqnGRYvzifG9M6DK/YMP1S/akAJvXSgEkJ
          PEJ3vlvSRy7l2lvU19upt4O/BAk3ZJ+X5uFtv/4GMdbEVZBCmNDS7Y85NorISiQf
          AVy/R2wjP4rNWDfN9DMCcwfPvw/0nFwrpr+0Cg==
          -----END CERTIFICATE-----

           
        10. Save old_machine.txt as old_machine.crt.
        11. Move or upload (via WinSCP or another SCP client) the certificate to the Platform Services Controller to the location created in Step 1:

          Note: SCP is disabled by default, for more information see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
           
          Platform Services Controller Appliance/certificates/old_machine.crt
          Platform Services Controller on WindowsC:\certificates\old_machine.crt
        You can now extract the thumbprint from this certificate. Proceed to Task 2.
         

        Task 2: Extracting the Thumbprint from the Old Certificate

        You can extract the thumbprint from the command line or by using a certificate viewer tool. After you extract the certificate, you can upload it to the Platform Services Controller.
         
        Extracting the Thumbprint from the Command Line on the Appliance
        1. Log in to the External Platform Services Controller Appliance via SSH.
        2. Run this command to enable access the Bash shell:

          shell.set --enabled true
           
        3. Enter shell and press Enter.
        4. Run this command to get the thumbprint:

          openssl x509 -in /certificates/old_machine.crt -noout -sha1 -fingerprint
           
        5. You see an output similar to:

          SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

          The thumbprint, is the sequence of numbers and letters that follow the equal sign.
         
        Extracting the Thumbprint from the Command Line on a Windows Installation
        1. Make a remote desktop connection to the External Platform Services Controller.
        2. Open an administrative command prompt.
        3. Run this command to get the thumbprint:

          "%VMWARE_OPENSSL_BIN%" x509 -in c:\certificates\old_machine.crt -noout -sha1 -fingerprint
           
        4. You see an output similar to:

          SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

          The thumbprint is the sequence of numbers and letters that follow the equal sign.

        Extracting the Thumbprint Using a Certificate Viewer Tool

        You can extract the thumbprint by performing these steps:
        1. Open the file with a certificate viewer tool. In Windows, double-click the file to open it in Windows Certificate Viewer.
        2. Get the SHA1 Thumbprint string. In Windows Certificate Viewer, select the SHA1 Thumbprint field.
        3. Copy the thumbprint string into a plain text editor and replace the spaces with colons or remove the spaces from the string.

          Note: With some text editors, invisible characters are added at the beginning. Delete the first character of the thumbprint and any associated spaces, then type, not paste, the character.

        Proceed to Task 3 to retrieve the new certificate.

        Task 3: Retrieving the New Certificate

        Depending on the replacement you are performing, you need the new vCenter Server certificate, the new Platform Services Controller certificate, or both. See Solution Overview above.

        If you did not archive the new certificate, you can retrieve it using vecs-cli:
         
        Retrieving the NewCertificate from the Appliance
        1. Log in to the vCenter Server or External Platform Services Controller Appliance through console or SSH session.
        2. Run this command to enable access the Bash shell:

          shell.set --enabled true
           
        3. Enter shell and press Enter.
        4. Run this command to view the new certificate:

          /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT –-text
           
        5. Run this command to export the new certificate to a file:

          /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificates/new_machine.crt
           
        6. If you retrieved a vCenter Server certificate, move or upload it (via WinSCP or another SCP client) to the Platform Services Controller before you run the script.
         
        Retrieving the NewCertificate on a Windows Installation
        1. Connect with remote desktop to the vCenter Server or External Platform Services Controller using administrative credentials.
        2. Open an administrative command prompt.
        3. Run this command to view the new certificate:

          "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text |more
           
        4. Run this command to export the new certificate to a file:

          "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\new_machine.crt
           
        5. If you just retrieved a vCenter Server certificate, move or upload it (via WinSCP or another SCP client) to the Platform Services Controller before you run the script.
        Proceed to Task 4 to execute the ls_update_certs script with the information gathers from Tasks 1 through 3.

         

        Task 4: Running the ls_update_certs.py Script

        Run the ls_update_certs.py script on the Platform Services Controller. To successfully run the script, you must have both the thumbprint of the old vCenter Server Server or Platform Services Controller certificate and the new vCenter Server or Platform Services Controller certificate.
         
        Note: If the password that you supply includes special characters or spaces, surround it with single quotes (Eg. 'Passw0rd!'). Command will fail with below error message, if it is a problem with the password:

        YYYY-MM-DD HH:MM:SS INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor - Provided credentials are not valid.
        Caused by: com.vmware.vim.sso.client.exception.AuthenticationFailedException: Provided credentials are not valid.
         
        Warning: You cannot undo the actions of this script. Perform a backup or a snapshot of the virtual machine so you can recover if problems result.
         
        Running ls_update cert on the Appliance

        The ls_update_certs script is located at /usr/lib/vmidentity/tools/scripts/ls_update_certs.py.

        1. Log in to the External Platform Services Controller Appliance through console or an SSH session.
        2. Run this command to enable access the Bash shell:

          shell.set --enabled true
           
        3. Type shell and press Enter.
        4. Change directories to /usr/lib/vmidentity/tools/scripts/ with the following command:

          cd /usr/lib/vmidentity/tools/scripts/
           
        5. Run this command:

          python ls_update_certs.py --url Lookup_Service_FQDN_of_Platform_Services_Controller --fingerprint Old_Certificate_Fingerprint_from_Task_2 --certfile New_Certificate_Path_from_Task_3 --user [email protected] --password "Password"

          For example (do not copy the fingerprint used in this example):

          python ls_update_certs.py --url https://psc.vmware.com/lookupservice/sdk --fingerprint 11:11:AF:D8:CF:27:6B:EF:F7:49:20:3E:D7:90:8C:F6:A0:A2:E2:30 --certfile /certificates/new_machine.crt --user [email protected] --password "Password"
         
        Running ls_update_cert on a Platform Services Controller Windows Installation
        1. Make a remote desktop connection to the External Platform Services Controller.
        2. Open an administrative command prompt

        Additional Information

        VMware Skyline Health Diagnostics for vSphere - FAQ
        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x
        Process to view the List of Services Registered with Single Sign-On 

        Attachments

        2121701_lstoolutil get_app