This article introduces how to create a new data-encipherment cert and upload it to VECS by command line.
vCenter UI Shows Alarm "Certificate Status".
Check the alarm description, it shows that the Data-encipherment Cert expired.
The validity period of data-encipherment cert is 10 years, it could be renewed automatically during vCenter server upgrading. Customers could also extend the validity period by following this KB.
The validity of the data-encipherment cert can be checked by below command:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --text
This solution is only applicable since the vsphere 8.0
1. SSH to the vCenter server and create a folder named certs in root.
mkdir /certs
2. Retrieve the data-encipherment key from VECS
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store data-encipherment --alias data-encipherment --output /certs/data-encipherment.key
3. Create a new data-encipherment cert
/usr/lib/vmware-vmca/bin/certool --server=[vCenterServerFQDN] --genCIScert --dataencipherment --privkey=/certs/data-encipherment.key --cert=/certs/data-encipherment.crt --Name=data-encipherment --FQDN=[vCenterServerFQDN]
4. Delete the old data-encipherment entry in VECS
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store data-encipherment --alias data-encipherment
5. Add the new data-encipherment cert into VECS
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store data-encipherment --alias data-encipherment --cert /certs/data-encipherment.crt --key /certs/data-encipherment.key
6. Check the data-encipherment cert in VECS, the validity should be expanded.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store data-encipherment --alias data-encipherment --text
7. Restart vpxd service to load the new cert.
If there are any Windows Customization Specifications in VCDB, need to
run "/usr/sbin/vpxd -g" to refresh them. Or when using them to customize a Windows VM,
the new cert could cause error "The public key in the specification does not match the
vCenter public key. You have to reenter the password in order to proceed."
Please restart vpxd as below:
service-control --stop vpxd
/usr/sbin/vpxd -g
service-control --start vpxd
And if there is no existing Windows Customization Specification, just restart the vpxd service:
service-control --restart vpxd
This operation needs to restart the vpxd service. So below operations are necessary to back up data.