Search the VMware Knowledge Base (KB)
View by Article ID

vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller (2121701)

  • 56 Ratings

Details

Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or VMware vCenter Support Assistant are always installed on a different machine than the associated vCenter Server system or Platform Services Controller that manages the certificates for the solution.

If you replace the Machine SSL certificate of a vCenter Server system or a Platform Services Controller in an environment with an External Platform Services Controller, a connection error results when the solution attempts to connect to the vCenter Server. The reason is that the vCenter Server and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you have replaced the certificate successfully.

This KB article explains how to resolve the issue in environments with an External Platform Services Controller. 
Warning (vSphere 6.0 only):

If you are running a Platform Services Controller version 6.0 Windows installation, you must replace the lstoolutil.py file with the file included in this article before you run the ls_update_certs.py script. You do not have to replace the file if you are running vSphere 6.0 Update 1.

To replace the lstoolutil.py file:
  1. Back up the existing "%VMWARE_CIS_HOME%"\VMware Identity Services\lstool\scripts\lstoolutil.py file. By default, this location is C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\.
  2. Download the attached 2121701_lstoolutil.py.zip file.
  3. Extract the lstoolutil.py file from the 2121701_lstoolutil.py.zip file in to "%VMWARE_CIS_HOME%"\VMware Identity Services\lstool\scripts\.

Solution

This issue is resolved in vCenter Server 6.0 Update 1b, available at VMware Downloads.  For more information, see VMware vCenter Server 6.0 Update 1b Release Notes.

Notes: 
  • Installing vCenter Server 6.0 update 1b on a system that is affected does not resolve the issue until you replace the certificates again. 
  • The update resolves the issue for certificate replacement with the Certificate Manager utility. The update does not resolve the issue for certificate replacement from the Services Controller UI.
To work around this issue for environments with an external Platform Services Controller, you must update the lookup service registration for both the vCenter Server system and the Platform Services Controller each time you replace a certificate. You update the service registration with the ls_update_certs.py script.

Notes:
  • Run this script always on the Platform Services Controller.
  • To run the script, you need the thumbprint of the old vCenter Server certificate and you need the new certificate. You must upload these certificates to the Platform Services Controller before you run the script.
  • Be sure to back up your existing certificates before you run the script.
  • Run this script each time you replace a certificate.

Solution Overview

How you run the script depends on where you replaced the machine SSL certificate.
 
Certificate replaced on Platform Services Controller only
Run the script on the Platform Services Controller, passing in the old and the new certificate for the Platform Services Controller.
Certificate replaced on vCenter Server system only
Run the script on the Platform Services Controller, passing in thumbprint of the old vCenter Server certificate and the new vCenter Server certificate
Certificates replaced on both vCenter Server system and Platform Services Controller
Run the script on the Platform Services Controller twice. Ideally, you run the script once after you replace the Platform Services Controller certificate, and again after you replace the vCenter Server certificate.
 


Task 0: Validating the sslTrust Anchors for the PSC and vCenter 

Validating the sslTrust Anchors from Command Line on the PSC Appliance
  1. Log in to the External Platform Services Controller Appliance via SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true

  3. Type shell and press Enter.

    If you have replaced the SSL certificates on their Platform Services Controllers:

    1. Run this command to get the current sslTrust anchor stored for the Platform Services Controller:

      /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null

      For example:

      Note: The SSL trust was truncated for readability.

      Service Product: com.vmware.cis
      Service Type: cs.identity
      Service ID: 04608398-1493-4482-881b-b35961bf5141
      Site ID: vmware
      Owner ID: psc.vmware.local@vsphere.local
      Version: 2.0
      Endpoints:
      Type: com.vmware.cis.cs.identity.sso
      Protocol: wsTrust
      URL: https://homepsc.vmware.local/sts/STSService/vsphere.local
      SSL trust: MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV ... LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

    2. Run this command to get the current SSL certificate used on port 443 on the Platform Services Controller:

      echo | openssl s_client -connect localhost:443

      For example:

      Note: The actual string was shortened significantly to improve readability.

      CONNECTED(00000003)
      depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
      verify return:1
      depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
      verify return:1
      depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      verify return:1
      depth=0 /CN=psc.vmware.local/C=US
      verify return:1
      ---
      Certificate chain
      0 s:/CN=psc.vmware.local/C=US
      i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
      ...
      LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

      -----END CERTIFICATE-----

    3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining VC nodes.

      echo | openssl s_client -connect vcenter2.vmware.local:443

    4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the returned SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.

    If you have replaced the SSL certificates on their vCenter Servers:
  1. Run this command to get the current sslTrust anchor stored for the vCenter Servers:

    /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.vim 2>/dev/null

    For example:

    Note: The SSL trust was truncated for readability.

    Name: AboutInfo.vpx.name
    Description: AboutInfo.vpx.name
    Service Product: com.vmware.cis
    Service Type: vcenterserver
    Service ID: e29107d1-565d-436e-a0ed-6ecf1eb613a7
    Site ID: site
    Node ID: ffd86dd8-3f01-11e5-a40a-0050569c12c2
    Owner ID: vpxd-e4cd5699-d2e4-497b-9f48-aee8e31abb6b@vsphere.local
    Version: 6.0
    Endpoints:
    Type: com.vmware.vim
    Protocol: vmomi
    URL: https://vcenter.vmware.local:443/sdk
    SSL trust: MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV...v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

  2. Run this command to get the current SSL certificate used on port 443 on the vCenter Server:

    echo | openssl s_client -connect vcenter_server_FQDN:443

    Use this example as a model:

    Note: The actual string was shortened significantly to improve readability.

    CONNECTED(00000003)
    depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
    verify return:1
    depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    verify return:1
    depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    verify return:1
    depth=0 /CN=vcenter.vmware.local/C=US
    verify return:1
    ---
    Certificate chain
    0 s:/CN=vcenter.vmware.local/C=US
    i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    1 s:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    i:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    2 s:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    i:/DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
    ---
    Server certificate
    -----BEGIN CERTIFICATE----
    MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
    ...
    v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

    -----END CERTIFICATE-----


  3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining VC nodes.

    echo | openssl s_client -connect vcenter2.vmware.local:443

  4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.

Validating the sslTrust Anchors from the Command Line on a Windows PSC Installation
  1. Connect to the External Platform Services Controller using a remote desktop connection and administrator credentials.
  2. Click Start > run, type cmd and press OK.
    If you have replaced the SSL certificates on their Platform Services Controllers:
  1. Run this command to get the current sslTrust anchor stored for the Platform Services Controller:

    "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2> NULL


    For example:

    Note: The SSL trust was truncated for readability.

    Service Product: com.vmware.cis
    Service Type: cs.identity
    Service ID: 04608398-1493-4482-881b-b35961bf5141
    Site ID: vmware
    Owner ID: psc.vmware.local@vsphere.local
    Version: 2.0
    Endpoints:
    Type: com.vmware.cis.cs.identity.sso
    Protocol: wsTrust
    URL: https://psc.vmware.local/sts/STSService/vsphere.local
    SSL trust: MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV ... LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

  2. Run this command to get the current SSL certificate used on port 443 on the Platform Services Controller:

    "%VMWARE_OPENSSL_BIN%" s_client -connect localhost:443

    For example:

    CONNECTED(00000003)
    depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
    verify return:1
    depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    verify return:1
    depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    verify return:1
    depth=0 /CN=psc.vmware.local/C=US
    verify return:1
    ---
    Certificate chain
    0 s:/CN=psc.vmware.local/C=US
    i:/C=US/DC=vsphere/DC=local/O=psc.fvmware.local/CN=CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDWDCCAkCgAwIBAgIJANr+++MJ5+WxMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
    ...
    LqSKWg/apP1XlBV1VyC5LPZrH/rrq8+Naoj7i/P6HAzTwAAL+O10ggClaP8=

    -----END CERTIFICATE-----


  3. If you have more than one vCenter Server in a vSphere domain, repeat the command using the FQDN for any remaining vCenter Server nodes.

    "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter2.vmware.local:443

  4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your Platform Services Controller(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.

    If you have replaced the SSL certificates on their vCenter Servers:
  1. Run this command to get the current sslTrust anchor stored for the vCenter Servers:

    "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.vim 2> NULL

    For example:

    Note: The SSL trust was truncated for readability.


    Name: AboutInfo.vpx.name
    Description: AboutInfo.vpx.name
    Service Product: com.vmware.cis
    Service Type: vcenterserver
    Service ID: e29107d1-565d-436e-a0ed-6ecf1eb613a7
    Site ID: vmware
    Node ID: ffd86dd8-3f01-11e5-a40a-0050569c12c2
    Owner ID: vpxd-e4cd5699-d2e4-497b-9f48-aee8e31abb6b@vsphere.local
    Version: 6.0
    Endpoints:
    Type: com.vmware.vim
    Protocol: vmomi
    URL: https://vcenter.vmware.local:443/sdk
    SSL trust: MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV...v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

  2. Execute the command to get the current SSL certificate used on port 443 on vCenter Server:

    "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter_server_FQDN:443

    Use this example as a model:

    Note: The actual string was shortened significantly to improve readability.

    CONNECTED(00000003)
    depth=3 /DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
    verify return:1
    depth=2 /DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    verify return:1
    depth=1 /C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    verify return:1
    depth=0 /CN=vcenter.vmware.local/C=US
    verify return:1
    ---
    Certificate chain
    0 s:/CN=vcenter.vmware.local/C=US
    i:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    1 s:/C=US/DC=vsphere/DC=local/O=psc.vmware.local/CN=CA
    i:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    2 s:/DC=local/DC=VMWARE/CN=VMWARE-WCAI-CA-1
    i:/DC=local/DC=VMWARE/CN=VMWARE-WCA-CA-1
    ---
    Server certificate
    -----BEGIN CERTIFICATE----
    MIIDfjCCAmagAwIBAgIJAMLCByASkdjPMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
    ...
    v2zUN54IrTl1lfAA8eb6Xy9miKsYZoYan5mgzb+GGD2yLw==

    -----END CERTIFICATE-----


  3. If you have more than one PSC in a vSphere domain, repeat the command using the FQDN for any remaining PSC nodes.

    "%VMWARE_OPENSSL_BIN%" s_client -connect vcenter2.vmware.local:443

  4. Using the output from the above openssl s_client and the lstoolutil.py, verify if the outputted SSL certificates match for your vCenter Server(s). If they do match, you do not need to continue. If they do not match, proceed to Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB) to start updating the sslTrust anchors.

Task 1: Retrieving the Old Certificate from the Managed Object Browser (MOB)

You can retrieve the old certificate for the vCenter Server system by connecting to the Platform Service Controller using the Managed Object Browser. You must find the sslTrust field of the ArrayOfLookupServiceRegistrationInfo managed object by performing this procedure:

  1. Create a directory to store the old certificates on the Platform Services Controller. For the guidance in this article, we will be using the following locations:

    Platform Services Controller Appliance /certificates/
    Platform Services Controller on Windows C:\certificates\

  2. To open the MOB, go to https://psc.example.com/lookupservice/mob?moid=ServiceRegistration&method=List in a browser.
  3. Log in with the administrator@vsphere.local username and password when prompted for credentials.
    If you are using a custom name for your vCenter Single Sign-On domain, use that user name and password.
  4. In the filterCriteria text field, modify the value field to show only the tags <filterCriteria></filterCriteria> and click Invoke Method.
    This displays the ArrayOfLookupServiceRegistrationInfo objects.
  5. Search for the following depending on which certificates are replaced:

    vCenter Server Search (Ctrl+F) for vc_hostname_or_IP.example.com on the page
    Platform Services Controller Search (Ctrl+F) for psc_hostname_or_IP.example.com on the page

  6. Find the value of the corresponding sslTrust field. The content of that field is the Base64 encoded string of the old certificate.

    Use the following examples as models when updating your Platform Services Controller or vCenter Server trust anchors.

    Note: The actual string was shortened significantly to improve legibility

    For vCenter Server:
    sslTrust ArrayofString

    MIIDfjCCAmag...

    url anyURI https://vcenter.vmware.local:443/sdk

    For Platform Services Controller:
    sslTrust ArrayofString

    MIIDfjCCAbad...

    url anyURI https://psc.vmware.local/sts/STSService/vsphere.local

  7. Copy the content of the sslTrust field into a text document. Save this document as old_machine.txt.
  8. Open the old_machine.txt in a text editor.
  9. Append -----BEGIN CERTIFICATE----- to the beginning of the text string, and append -----END CERTIFICATE----- to the end of the text string. Add a carriage return after the 64th character of the contents copied from the sslTrust field.

    For Example:

    -----BEGIN CERTIFICATE-----
    LIIDeDCCAmCgAwIBAgIJAP7kGwWSSd0yMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
    PAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
    QWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTaG9tZXBzYy5mcml0ei5sb2Nh
    NDAeFw0xNTA4MTAwMDMwMjZaFw0yNTA4MDQwMDMwMjVaMCsxHDAaBgNVBAMME2hv
    HWVwc2MuZnJpdHoubG9jYWwxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF
    LAOCAQ8AMIIBCgKCAQEAzuf/uVMLwlkUKsMXsUPigqZdrXKzEOEzOQ04q8YgVvDX
    w7MAPSTMZzeUsI6P+/4doZU14zAQTl/6dnbwYg65p9mv7CVJb4QgAJH9xFD+33Ab
    aQX7za/bWPgyxsPtccnn+si8QQDx9mMZbDzF0gjdARvpKWwVv4lln8iZ8wUahyC7
    bxnzc5/oWo4Z3DTruHMnvadHRZWzZTn8YeID06R2g8Yu5c50wXbAvNj3TE4x0Qyv
    fUbABXvv2EdYC5tb3g++L6A6tuWYgl+dr4KJ1G5gLvliECAsWsMwtQXq5nH65JdV
    XvRUVIlajC9OavGkd+ziT3yRibJBu2NJrLQp7ehgmQIDAQABo2IwYDAeBgNVHREE
    FzAVghNob21lcHNjLmZyaXR6LmxvY2FsMB0GA1UdDgQWBBSaRwv8djR7+qg7Wk3A
    zib3C3ArljAfBgNVHSMEGDAWgBRkYn4wsyRye8o14OoE3AOTMus6rzANBgkqhkiG
    9w0BAQsFAAOCAQEAU3X/ZEDXO8yDRJkjrQH0acxoc76QRDv+3s6yCpPFU8HmqU1E
    LmoDq67rHoKZw5ziBR/lGHn5oVHYYuJRFdO/b8NO1t2MnedhAaenqmAr4v0FzH6K
    UCgiLq8+ZMPFBz3qFu2i0I8mG6Yy0ud9T4wWUabgZ1C3sDNkQ+NLHXKVxNrPwgQd
    3KyrNpXgBQ0+ZWY3xvvdW5yOwnWkeAeqnGRYvzifG9M6DK/YMP1S/akAJvXSgEkJ
    PEJ3vlvSRy7l2lvU19upt4O/BAk3ZJ+X5uFtv/4GMdbEVZBCmNDS7Y85NorISiQf
    AVy/R2wjP4rNWDfN9DMCcwfPvw/0nFwrpr+0Cg==
    -----END CERTIFICATE-----


  10. Save old_machine.txt as old_machine.crt.
  11. Move or upload (via WinSCP or another SCP client) the certificate to the Platform Services Controller to the location created in Step 1:

    Note: SCP is disabled by default, for more information see Error when uploading files to vCenter Server Appliance using WinSCP (2107727)

    Platform Services Controller Appliance /certificates/old_machine.crt
    Platform Services Controller on Windows C:\certificates\old_machine.crt
You can now extract the thumbprint from this certificate. Proceed to Task 2.
 

Task 2: Extracting the Thumbprint from the Old Certificate

You can extract the thumbprint from the command line or by using a certificate viewer tool. After you extract the certificate, you can upload it to the Platform Services Controller.

Extracting the Thumbprint from the Command Line on the Appliance
  1. Log in to the External Platform Services Controller Appliance via SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true

  3. Enter shell and press Enter.
  4. Run this command to get the thumbprint:

    openssl x509 -in /certificates/old_machine.crt -noout -sha1 -fingerprint

  5. You see an output similar to:

    SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

    The thumbprint, is the sequence of numbers and letters that follow the equal sign.

Extracting the Thumbprint from the Command Line on a Windows Installation
  1. Make a remote desktop connection to the External Platform Services Controller.
  2. Open an administrative command prompt.
  3. Run this command to get the thumbprint:

    "%VMWARE_OPENSSL_BIN%" x509 -in c:\certificates\old_machine.crt -noout -sha1 -fingerprint

  4. You see an output similar to:

    SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

    The thumbprint is the sequence of numbers and letters that follow the equal sign.

Extracting the Thumbprint Using a Certificate Viewer Tool

You can extract the thumbprint by performing these steps:
  1. Open the file with a certificate viewer tool. In Windows, double-click the file to open it in Windows Certificate Viewer.
  2. Get the SHA1 Thumbprint string. In Windows Certificate Viewer, select the SHA1 Thumbprint field.
  3. Copy the thumbprint string into a plain text editor and replace the spaces with colons or remove the spaces from the string.

    Note
    : With some text editors, invisible characters are added at the beginning. Delete the first character of the thumbprint and any associated spaces, then type, not paste, the character.

Proceed to Task 3 to retrieve the new certificate.

Task 3: Retrieving the New Certificate

Depending on the replacement you are performing, you need the new vCenter Server certificate, the new Platform Services Controller certificate, or both. See Solution Overview above.

If you did not archive the new certificate, you can retrieve it using vecs-cli:
 
Retrieving the NewCertificate from the Appliance
  1. Log in to the vCenter Server or External Platform Services Controller Appliance through console or SSH session.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true

  3. Enter shell and press Enter.
  4. Run this command to view the new certificate:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT –-text

  5. Run this command to export the new certificate to a file:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificates/new_machine.crt

  6. If you retrieved a vCenter Server certificate, move or upload it (via WinSCP or another SCP client) to the Platform Services Controller before you run the script.
 
Retrieving the NewCertificate on a Windows Installation
  1. Connect with remote desktop to the vCenter Server or External Platform Services Controller using administrative credentials.
  2. Open an administrative command prompt.
  3. Run this command to view the new certificate:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text |more

  4. Run this command to export the new certificate to a file:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\new_machine.crt

  5. If you just retrieved a vCenter Server certificate, move or upload it (via WinSCP or another SCP client) to the Platform Services Controller before you run the script.
Proceed to Task 4 to execute the ls_update_certs script with the information gathers from Tasks 1 through 3.


Task 4: Running the ls_update_certs.py Script

Run the ls_update_certs.py script on the Platform Services Controller. To successfully run the script, you must have both the thumbprint of the old vCenter Server Server or Platform Services Controller certificate and the new vCenter Server or Platform Services Controller certificate.
 
Note: If the password that you supply includes special characters or spaces, surround it with quotes ("pass word").
 
Warning: You cannot undo the actions of this script. Perform a backup or a snapshot of the virtual machine so you can recover if problems result.
 
Running ls_update cert on the Appliance

The ls_update_certs script is located at /usr/lib/vmidentity/tools/scripts/ls_update_certs.py.

  1. Log in to the External Platform Services Controller Appliance through console or an SSH session.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true

  3. Type shell and press Enter.
  4. Change directories to /usr/lib/vmidentity/tools/scripts/ with the following command:

    cd /usr/lib/vmidentity/tools/scripts/

  5. Run this command:

    python ls_update_certs.py --url Lookup_Service_FQDN_of_Platform_Services_Controller --fingerprint Old_Certificate_Fingerprint_from_Task_2 --certfile New_Certificate_Path_from_Task_3 --user Administrator@vsphere.local --password "Password"

    For example (do not copy the fingerprint used in this example):

    python ls_update_certs.py --url https://psc.vmware.com/lookupservice/sdk --fingerprint 11:11:AF:D8:CF:27:6B:EF:F7:49:20:3E:D7:90:8C:F6:A0:A2:E2:30 --certfile /certificates/new_machine.crt --user Administrator@vsphere.local --password "Password"
 
Running ls_update_cert on a Platform Services Controller Windows Installation
  1. Make a remote desktop connection to the External Platform Services Controller.
  2. Open an administrative command prompt.
  3. Change directories to C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\ with this command:

    cd C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\

  4. Run this command:

    "%VMWARE_PYTHON_BIN%" ls_update_certs.py --url Lookup_Service_FQDN_of_Platform_Services_Controller --fingerprint Old_Certificate_Fingerprint_from_Task_2 --certfile New_Certificate_Path_from_Task_3 --user Username --password Password

    For example (do not copy the fingerprint used in this example):

    %VMWARE_PYTHON_BIN%" ls_update_certs.py --url https://psc.vmware.com/lookupservice/sdk --fingerprint 13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88 --certfile c:\certificates\new_machine.crt --user Administrator@vsphere.local --password Password

Once completed, repeat Task 0 to ensure that your PSC and vCenter endpoints are updated.


Additional Information

Syntax for ls_update_cert
Run the script using this syntax:

python ls_update_certs.py --url LS_URL --fingerprint OLD_CERT_SHA1_HASH --certfile NEW_CERT_PEM_FILEPATH --user USER --password PASSWORD

LS_URL Lookup service URL. On the External Platform Services controller, use the following URL as a model:
https://external_platform_services_controller_FQDN.example.com/lookupservice/sdk
OLD_CERT_SHA1_HASH
Thumbprint of the certificate that vCenter Server or Platform Services Controller used before certificate replacement acquired in Task 2.
First you retrieve the old certificate:
  • If possible, download the current certificate from the vCenter Server system before you perform certificate replacement. For more information, see How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294).
  • Otherwise, you can follow the process in Task 1: Retrieving the Old Certificate from the Managed Object Browser
  • If you only performed one certificate replacement operation, you can instead use the process in Retrieving the Old Certificate from the Managed Object Brower, listed under Additional Information.
Then you extract the thumbprint from the old certificate.

Note: Attempting to find the old vCenter Server certificate in the filesystem is not recommended.
NEW_CERT_PEM_FILEPATH
PEM encoded file of the new vCenter Server machine SSL certificate acquired in Task 3.
Use the file that you just passed in as part of certificate replacement.
If you no longer have that file, use the process in Retrieving the New Certificate.

Note: Attempting to find the new vCenter Server certificate in the filesystem is not recommended.

USER and PASSWORD User with administrator privileges for vCenter Single Sign-On


Retrieving the Old Certificate from the BACKUP_STORE
 
If you are using the vSphere Certificate Manager utility, you can retrieve the old machine SSL certificate from the BACKUP_STORE inside VECS.

Note: The backup store only keeps the last certificate. If you performed multiple replacement actions, you can instead retrieve the certificate from the MOB, as discussed below.

On the vCenter Server Appliance, you retrieve the old certificate thumbprint:
  1. Run this command and look for the Machine_Cert entry to verify it is the previous certificate:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store BACKUP_STORE --text


  2. Notice bkp___Machine_Cert under Machine_Cert.
  3. Run this command to output the Machine_Cert from the BACKUP_Store.

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store BACKUP_STORE --alias bkp___MACHINE_CERT --output /certificates/old_machine.crt


  4. Run this command to output the thumbprint:

    openssl certificate -fingerprint< -sha1 -noout old_machine.crt -in x509>

    You will see output similar to:

    SHA1 Fingerprint=11:41:9F:D8:CF:27:6B:EA:F7:49:20:3E:D7:90:8C:F6:A0:62:E1:31

On a vCenter Server Windows system, you retrieve the old certificate as follows:

  1. Run this command and look for the Machine_Cert entry to verify it is the previous certificate:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store BACKUP_STORE –text | more


  2. To output the Machine_Cert from the BACKUP_Store, run this command:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store BACKUP_STORE --alias bkp___MACHINE_CERT --output c:\certificates\old_machine.crt


  3. Run this command to output the thumbprint:

    openssl certificate -fingerprint< -sha1 -noout old_machine.crt -in x509>


    You see output similar to:

    SHA1 Fingerprint=11:41:9F:D8:CF:27:6B:EA:F7:49:20:3E:D7:90:8C:F6:A0:62:E1:31

Translated Versions of this Article

For translated versions of this article, see:

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 56 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 56 Ratings
Actions
KB: