How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script
search cancel

How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script

book

Article ID: 322249

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains the usage of Python based script 'fixcerts_1715175916536.py' (attached at the bottom of this article) to replace the Certificates on vCenter Server Appliance.

This script will help to replace following Certificates on vCenter Server using the Certificates Signed by Default VMCA:

  • VMCA Root
  • MACHINE SSL
  • Secure Token Signing (STS)
  • Solution Users
  • LookupService or STS_INTERNAL_SSL_CERT (if exists)
  • data-encipherment
  • SMS
  • Remove Expired Certificates from TRUSTED_ROOTS store
  • Remove Non-CA Certificates from TRUSTED_ROOTS store
  • Update Thumbprint for VPXD Extensions (eam, rbd & imagebuilder)

Notes:

  1. ​​​​​​This script cannot be used to replace Custom Certificates on vCenter Server
  2. This script is not a replacement for Certificate Management UI or CLI on vCenter Server
  3. It doesn't support Windows vCenter Server



Environment

VMware vCenter Server 8.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x

Resolution

Steps to execute the script on vCenter Server Appliance :

  1. Download the fixcerts_1715175916536.py script from the attachments section below
  2. Copy the script to vCenter Server Appliance using WinSCP or follow below steps to copy paste the script using Clipboard
  • Open the Script using a text editor (preferably Notepad++)
  • Copy the contents (Ctrl + C )
  • Connect to VCSA using SSH Client (Eg. Putty)
  • Change the Shell to Bash if it is in Appliance Shell
  • Create a new file using 'vi' command
  • Right Click and Paste the Contents copied from Step 3 (or use 'Shift + Insert' to paste)
  • Save and exit from VI editor (Esc key + wq!)
  1. Execute any of below command
  • To replace Only Expired Certificates (python fixcerts.py replace --certType expired_only)
  • To replace All the Certificates (python fixcerts.py replace --certType all)
  1. Follow further instructions by providing the inputs to the script:
  • Enter the SSO Administrator Credentials
  • Validity of existing certificates will be displayed, read the instructions and enter 'Yes' or 'Y' to Continue
  • It will read the existing MACHINE SSL Certificate Fields (such as Country, Organization etc..), please enter 'Yes' or 'Y' to continue with the same fields. You may enter 'No' to Customize the fields:
  • It will proceed with replacement of all the Expired Certificates, please enter 'Yes' or 'Y' to restart the services post certificate replacement. You may enter 'No' or 'N' to restart the services manually using 'service-control' command :
  • It will display the execution status and validity of Certificates post replacement operation

Additional Information

Fixcerts script accepts some additional arguments for the default VMCA certificate replacement, following are some examples :

Replace ONLY EXPIRED Certificates

  • python fixcerts.py replace --certType expired_only
  • python fixcerts.py replace --certType expired_only --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType expired_only --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts.py replace --certType expired_only --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType expired_only --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts.py replace --certType expired_only --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace all the Certificates on vCenter Server

  • python fixcerts.py replace --certType all
  • python fixcerts.py replace --certType all --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType all --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts.py replace --certType all --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType all --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity. Please note, the VMCA Root Certificate will have the default 10 years validity and the default Key Size which cannot be Customized]
  • python fixcerts.py replace --certType all --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace VMCA Root Certificate and all other Certificates

  • python fixcerts.py replace --certType root
  • python fixcerts.py replace --certType root --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType root --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]


Replace MACHINE_SSL_CERT Certificate

  • python fixcerts.py replace --certType machinessl
  • python fixcerts.py replace --certType machinessl --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType machinessl --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts.py replace --certType machinessl --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType machinessl --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts.py replace --certType machinessl --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace STS (Signing Certificate) Certificate

  • python fixcerts.py replace --certType sts
  • python fixcerts.py replace --certType sts --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType sts --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType sts --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts.py replace --certType sts --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace Solution User Certificates

  • python fixcerts.py replace --certType solutionusers
  •  
  • python fixcerts.py replace --certType solutionusers --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType solutionusers --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType solutionusers --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts.py replace --certType solutionusers --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace data-encipherment Certificate

  • python fixcerts.py replace --certType data-encipherment
  • python fixcerts.py replace --certType data-encipherment --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType data-encipherment --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType data-encipherment --force_encipherment_replace True|False [by default script will replace the data-enciphement cert only if it is expired, use the force switch if you want to override]


Replace LookupService Certificate if a STS_INTERNAL_SSL_CERT store is available

  • python fixcerts.py replace --certType lookupservice
  • python fixcerts.py replace --certType lookupservice --serviceRestart True [To restart all the services automatically post certificate replacement]
  • python fixcerts.py replace --certType lookupservice --additionalSAN fqdn1,fqdn2 [if multiple hostnames are required in SAN, provide comma separated values for multiple FQDNs]
  • python fixcerts.py replace --certType lookupservice --silent True --password "<sso admin password>" --serviceRestart True|False [for silent replacement without any user inputs]
  • python fixcerts.py replace --certType lookupservice --validityDays <number between 1 to 3650> [To Customize the certificate validity, by default VMCA signs certificate with 2 year validity]
  • python fixcerts.py replace --certType lookupservice --keySize <2048/3072/4096> [To Customize the Key Length, by default VMCA signs certificate with 2048 as key size]


Replace expired Certificates from SMS store

  • python fixcerts.py replace --certType sms
  • python fixcerts.py replace --certType sms --serviceRestart True [To restart all the services automatically post certificate replacement]


Remove Non-CA Certificates from TRUSTED_ROOTS store, if any

  • python fixcerts.py remove --storeType trusted_roots --certType non-ca
  • python fixcerts.py remove --storeType trusted_roots --certType non-ca --serviceRestart True [To restart all the services automatically post certificate replacement]


Remove expired Certificates from TRUSTED_ROOTS store, if any

  • python fixcerts.py remove --storeType trusted_roots --certType expired
  • python fixcerts.py remove --storeType trusted_roots --certType expired --serviceRestart True [To restart all the services automatically post certificate replacement]


Update Thumbprint for VPXD Extensions (eam, rbd & imagebuilder)

  • python fixcerts.py update --ExtensionType all (to update thumbprint of all three extensions - eam, rbd & imagebuilder)
  • python fixcerts.py update --ExtensionType eam (to update thumbprint of only eam extension)
  • python fixcerts.py update --ExtensionType rbd (to update thumbprint of only rbd extension)
  • python fixcerts.py update --ExtensionType imagebuilder (to update thumbprint of only imagebuilder extension)



Attachments

fixcerts_1715175916536.py get_app
Powered by Wolken Software