一、概述vcenter 7.0版本证书有默认两年的有效期在证书过期之前需要在VC平台上手动续期否则会导致vsphere client web端无法登录。可以在事件中看到对应的证书报错信息如下注意更新证书前请对VCSA虚拟机进行快照备份二、使用vsphere client web端对__MACHINE_CERT证书进行续期点击左侧系统菜单–系统管理选择证书–**证书管理 **需要续订的证书为__MACHINE_CERT计算机 SSL 证书点击续订即可续订完成之后需要在shell命令行中VC的所有服务进行重启三、命令行续订其他证书传统方法检查当前服务器证书情况forstorein$(/usr/lib/vmware-vmafd/bin/vecs-cli store list|grep-vTRUSTED_ROOT_CRLS);doecho [*] Store :$store;/usr/lib/vmware-vmafd/bin/vecs-cli entry list--store$store--text|grep-ieAlias-ieNot After;done;检查当前除了__MACHINE_CERT证书其他的仍然处于即将过期的状态使用传统方法进行更新vcenter提供了certificate-manager工具用于证书更新注意自带的证书管理 软件certificate-manager只能处理SSL和VCSA根证书不能处理STS证书/usr/lib/vmware-vmca/bin/certificate-manager选择3更新SSL证书root*****[~]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|||*** Welcome to the vSphere7.0Certificate Manager ***||||-- Select Operation --||||1. Replace Machine SSL certificate with Custom Certificate||||2. Replace VMCA Root certificate with Custom Signing||Certificate and replace all Certificates||||3. Replace Machine SSL certificate with VMCA Certificate||||4. Regenerate a new VMCA Root Certificate and||replace all certificates||||5. Replace Solution user certificates with||Custom Certificate||NOTE: Solution user certs will be deprecatedina future||release of vCenter. Refer to release notesformoredetails.||||6. Replace Solution user certificates with VMCA certificates||||7. Revert last performed operation by re-publishing old||certificates||||8. Reset all Certificates||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|Note:Use Ctrl-D to exit. Option[1to8]:3Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username[Administratorvsphere.local]: Enter password: Incorrect Password!Try Again!(2attempt/s left)Password: Please configure certool.cfg with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper valueforCountry[Default value:US]:Enter proper valueforName[Default value:CA]:Enter proper valueforOrganization[Default value:VMware]:*****.*****.com Enter proper valueforOrgUnit[optional]:VMware Engineering Enter proper valueforState[Default value:California]:Enter proper valueforLocality[Default value:Palo Alto]:Enter proper valueforIPAddress(Provide comma separated valuesformultiple IP addresses)[optional]:***.**.**.** Enter proper valueforEmail[Default value:emailacme.com]:Enter proper valueforHostname(Provide comma separated valuesformultiple Hostname entries)[Enter valid Fully Qualified Domain Name(FQDN), For Example:example.domain.com]:*****.****.com Enter proper valueforVMCAName:VMCA Name should not be empty, please enter valid VMCA Name. Enter proper valueforVMCAName:VMCA You are going to regenerate Machine SSL cert using VMCA Continue operation:Option[Y/N]?:y Status:100% Completed[All tasks completed successfully]可以观察到有部分证书仍然过期需要使用特殊脚本进行更新如下。BACKUP_STORE或者bkp开头的证书可以不用管是备份证书[*]Store:MACHINE_SSL_CERT Alias:__MACHINE_CERT Not After:Mar1108:21:402028GMT[*]Store:TRUSTED_ROOTS Alias:5f6bc5e2bb2c526b199643ed3403d42b961700d9 Not After:Mar2208:17:392034GMT Alias:f113363bc67cd81e62d0a5034139d635d5a4f8de Not After:Mar2804:13:492034GMT[*]Store:machine Alias:machine Not After:Apr204:03:512026GMT[*]Store:vsphere-webclient Alias:vsphere-webclient Not After:Apr204:03:512026GMT[*]Store:vpxd Alias:vpxd Not After:Apr204:03:522026GMT[*]Store:vpxd-extension Alias:vpxd-extension Not After:Apr204:03:532026GMT[*]Store:hvc Alias:hvc Not After:Apr204:03:532026GMT[*]Store:>:>:Apr204:03:542026GMT[*]Store:APPLMGMT_PASSWORD[*]Store:SMS Alias:sms_self_signed Not After:Mar2708:22:002034GMT[*]Store:wcp Alias:wcp Not After:Apr204:03:542026GMT[*]Store:BACKUP_STORE Alias:__MACHINE_CERT Not After:Apr204:03:502026GMT Alias:bkp___MACHINE_CERT Not After:Mar301:23:402028GMT Alias:bkp_machine Not After:Apr204:03:512026GMT Alias:bkp_vsphere-webclient Not After:Apr204:03:512026GMT Alias:bkp_vpxd Not After:Apr204:03:522026GMT Alias:bkp_vpxd-extension Not After:Apr204:03:532026GMT Alias:bkp_hvc Not After:Apr204:03:532026GMT Alias:bkp_wcp Not After:Apr204:03:542026GMTvCert更新证书方法由于使用传统的证书更新工具或者是web端直接续订证书存在各种问题VMware官方提供了vcert工具用于更新相关证书使用方法可以参考https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/ReleaseAnnouncements/Announcing-availability-of-vCert—Automated-Replacement-of-Expired-Certificates-on-vCenter-Server/25435Cert其实就是一个用于vCenter的证书管理自动替换的脚本工具可用于检查证书状态、验证证书和服务之间的信任链、清理无效证书并在证书即将过期或已过期时自动完成替换。目前支持vCenter 7.x和8.x.。基本所有证书相关的功能的涵盖了检查当前证书状态查看证书信息管理证书管理 SSL 信任锚点检查证书相关配置使用 VMCA 签发的证书重置所有证书ESXi主机上的证书操作重启服务生成证书报告vCert的下载与安装https://knowledge.broadcom.com/external/article?articleNumber385107前往以下官方KB文章拉到最底下下载文章附件的脚本vCert的上传VCSA的sftp服务默认路径和传统sftp的目录不一致需要在连接时指定连接目录为shell /usr/libexec/sftp-server上传文件之后# unzip -q vCert-6.0.1-20250516.zip# cd vCert-6.0.1-20250516# chmod x vCert# ./vCert.py检查当期证书情况使用1Check current certificate status检查当前证书状态Please enter a Single Sign-On administrator account[administratorvsphere.local]: Please provide the passwordforadministratorvsphere.local: Checking Certificate Status ----------------------------------------------------------------- Checking Machine SSL certificate VALID Checking Machine SSL CSR EXPIRED Checking Solution User certificates: machine VALID vsphere-webclient VALID vpxd VALID vpxd-extension VALID hvc VALID wcp VALID Checking SMS self-signed certificate VALID Checking>20DAYS Checking Authentication Proxy certificate VALID Checking Auto Deploy CA certificate NO SKID Checking BACKUP_STORE entries: __MACHINE_CERT20DAYS bkp___MACHINE_CERT VALID bkp_machine VALID bkp_vsphere-webclient VALID bkp_vpxd VALID bkp_vpxd-extension VALID bkp_hvc VALID bkp_wcp VALID Checking VMCA certificate VALID Checking STS Signing CertsSigning Chains ----------------------------------------------------------------- Checking TenantCredential-1: TenantCredential-1 signing certificate VALID TenantCredential-1 CA certificate VALID Checking TrustedCertChain-1: TrustedCertChain-1 signing certificate VALID TrustedCertChain-1 CA certificate VALID Checking CA certificatesinVMDir[by CN(id)]----------------------------------------------------------------- 535DBF560300215B3E650902AC69270C571C37CF VALID 63800FD081852C0C239E849C0EEB36711E6C8099 VALID 254B09F937A7DAA2C4D98E28C1C110292F50313D VALID 5CC0AE722A14C4A475AB6A97AA167A841B86EB4F VALID Checking CA certificatesinVECS[by Alias]----------------------------------------------------------------- 5f6bc5e2bb2c526b199643ed3403d42b961700d9 VALID f113363bc67cd81e62d0a5034139d635d5a4f8de VALID 190195ab99288668eef6846dbe0bb1df0ad6edf0 VALID e57a3f01f06bb6c0ded89f1709469af2bb1deaa0 VALID Checking VECS Stores ----------------------------------------------------------------- Checking status and permissionsforVECS stores: MACHINE_SSL_CERT OK TRUSTED_ROOTS OK TRUSTED_ROOT_CRLS OK machine OK vsphere-webclient OK vpxd OK vpxd-extension OK SMS OK APPLMGMT_PASSWORD OK >inVECS4Checking AD over LDAPS certificates ----------------------------------------------------------------- Domain: mtrhz.com Checking SSL Trust Anchors ----------------------------------------------------------------- l5dtvc.mtrhz.com VALID Checking vCenter Extension Thumbprints ----------------------------------------------------------------- com.vmware.rbd(vpxd-extension)MATCHES com.vmware.vcIntegrity(vpxd-extension)MATCHES com.vmware.vim.eam(vpxd-extension)MATCHES com.vmware.vmcam(Authentication Proxy)MATCHES com.vmware.vsan.health(Machine SSL)MATCHES Checking VMCA ConfigurationsinVCDB ----------------------------------------------------------------- vpxd.certmgmt.certs.cn.countryUSvpxd.certmgmt.certs.cn.emailvmcavmware.comvpxd.certmgmt.certs.cn.localityNamePalo Altovpxd.certmgmt.certs.cn.organizationalUnitNameVMware Engineeringvpxd.certmgmt.certs.cn.organizationNameVMwarevpxd.certmgmt.certs.cn.stateCaliforniavpxd.certmgmt.modevmcaChecking STS Server Configuration ----------------------------------------------------------------- Checking VECS store configuration OK Checking STS ConnectionStrings OK ------------------------!!!Attention!!!------------------------ - One ormorecertificates are expired - One ormorecertificates are expiring within30days - One ormoreCA certificates is missing the Subject Key ID extension可以观察到经过以上的操作仍然有三个证书提示过期其中Machine SSL CSR-这个证书是是在生成vCenter UI证书时自动生成的但是过期后不会自动删除需要手动删除data-encipherment-证书需要更新需要使用更新脚本__MACHINE_CERT-这个证书是在BACKUP_STORE中是更新后生成的备份证书可忽略。vCert涵盖了之前vsphere client和命令行传统管理方式续订证书注意之前在vsphere client和命令行传统管理方式续订的证书都可以在vCert中一并性续订**选择 ****6. Reset all certificates with VMCA-signed certificates****按照提示下一步续订即可 **删除Machine SSL CSR参考文档https://knowledge.broadcom.com/external/article/375304/delete-an-expired-csr-from-machine_ssl_c.html输入命令即可删除/usr/lib/vmware-vmafd/bin/vecs-cli entry delete--storeMACHINE_SSL_CERT--alias__MACHINE_CSR-y单独续订data-encipherment-证书参考文档https://knowledge.broadcom.com/external/article?articleNumber322249下载文档底部的fix脚本上传到VCSA服务器输入以下命令python fixcerts_3_2.py replace--certType>四、检查支持更新证书完成使用vCert的1. Check current certificate status选项验证当前证书情况即可
Vcenter7.0更新证书
一、概述vcenter 7.0版本证书有默认两年的有效期在证书过期之前需要在VC平台上手动续期否则会导致vsphere client web端无法登录。可以在事件中看到对应的证书报错信息如下注意更新证书前请对VCSA虚拟机进行快照备份二、使用vsphere client web端对__MACHINE_CERT证书进行续期点击左侧系统菜单–系统管理选择证书–**证书管理 **需要续订的证书为__MACHINE_CERT计算机 SSL 证书点击续订即可续订完成之后需要在shell命令行中VC的所有服务进行重启三、命令行续订其他证书传统方法检查当前服务器证书情况forstorein$(/usr/lib/vmware-vmafd/bin/vecs-cli store list|grep-vTRUSTED_ROOT_CRLS);doecho [*] Store :$store;/usr/lib/vmware-vmafd/bin/vecs-cli entry list--store$store--text|grep-ieAlias-ieNot After;done;检查当前除了__MACHINE_CERT证书其他的仍然处于即将过期的状态使用传统方法进行更新vcenter提供了certificate-manager工具用于证书更新注意自带的证书管理 软件certificate-manager只能处理SSL和VCSA根证书不能处理STS证书/usr/lib/vmware-vmca/bin/certificate-manager选择3更新SSL证书root*****[~]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|||*** Welcome to the vSphere7.0Certificate Manager ***||||-- Select Operation --||||1. Replace Machine SSL certificate with Custom Certificate||||2. Replace VMCA Root certificate with Custom Signing||Certificate and replace all Certificates||||3. Replace Machine SSL certificate with VMCA Certificate||||4. Regenerate a new VMCA Root Certificate and||replace all certificates||||5. Replace Solution user certificates with||Custom Certificate||NOTE: Solution user certs will be deprecatedina future||release of vCenter. Refer to release notesformoredetails.||||6. Replace Solution user certificates with VMCA certificates||||7. Revert last performed operation by re-publishing old||certificates||||8. Reset all Certificates||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|Note:Use Ctrl-D to exit. Option[1to8]:3Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username[Administratorvsphere.local]: Enter password: Incorrect Password!Try Again!(2attempt/s left)Password: Please configure certool.cfg with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper valueforCountry[Default value:US]:Enter proper valueforName[Default value:CA]:Enter proper valueforOrganization[Default value:VMware]:*****.*****.com Enter proper valueforOrgUnit[optional]:VMware Engineering Enter proper valueforState[Default value:California]:Enter proper valueforLocality[Default value:Palo Alto]:Enter proper valueforIPAddress(Provide comma separated valuesformultiple IP addresses)[optional]:***.**.**.** Enter proper valueforEmail[Default value:emailacme.com]:Enter proper valueforHostname(Provide comma separated valuesformultiple Hostname entries)[Enter valid Fully Qualified Domain Name(FQDN), For Example:example.domain.com]:*****.****.com Enter proper valueforVMCAName:VMCA Name should not be empty, please enter valid VMCA Name. Enter proper valueforVMCAName:VMCA You are going to regenerate Machine SSL cert using VMCA Continue operation:Option[Y/N]?:y Status:100% Completed[All tasks completed successfully]可以观察到有部分证书仍然过期需要使用特殊脚本进行更新如下。BACKUP_STORE或者bkp开头的证书可以不用管是备份证书[*]Store:MACHINE_SSL_CERT Alias:__MACHINE_CERT Not After:Mar1108:21:402028GMT[*]Store:TRUSTED_ROOTS Alias:5f6bc5e2bb2c526b199643ed3403d42b961700d9 Not After:Mar2208:17:392034GMT Alias:f113363bc67cd81e62d0a5034139d635d5a4f8de Not After:Mar2804:13:492034GMT[*]Store:machine Alias:machine Not After:Apr204:03:512026GMT[*]Store:vsphere-webclient Alias:vsphere-webclient Not After:Apr204:03:512026GMT[*]Store:vpxd Alias:vpxd Not After:Apr204:03:522026GMT[*]Store:vpxd-extension Alias:vpxd-extension Not After:Apr204:03:532026GMT[*]Store:hvc Alias:hvc Not After:Apr204:03:532026GMT[*]Store:>:>:Apr204:03:542026GMT[*]Store:APPLMGMT_PASSWORD[*]Store:SMS Alias:sms_self_signed Not After:Mar2708:22:002034GMT[*]Store:wcp Alias:wcp Not After:Apr204:03:542026GMT[*]Store:BACKUP_STORE Alias:__MACHINE_CERT Not After:Apr204:03:502026GMT Alias:bkp___MACHINE_CERT Not After:Mar301:23:402028GMT Alias:bkp_machine Not After:Apr204:03:512026GMT Alias:bkp_vsphere-webclient Not After:Apr204:03:512026GMT Alias:bkp_vpxd Not After:Apr204:03:522026GMT Alias:bkp_vpxd-extension Not After:Apr204:03:532026GMT Alias:bkp_hvc Not After:Apr204:03:532026GMT Alias:bkp_wcp Not After:Apr204:03:542026GMTvCert更新证书方法由于使用传统的证书更新工具或者是web端直接续订证书存在各种问题VMware官方提供了vcert工具用于更新相关证书使用方法可以参考https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/ReleaseAnnouncements/Announcing-availability-of-vCert—Automated-Replacement-of-Expired-Certificates-on-vCenter-Server/25435Cert其实就是一个用于vCenter的证书管理自动替换的脚本工具可用于检查证书状态、验证证书和服务之间的信任链、清理无效证书并在证书即将过期或已过期时自动完成替换。目前支持vCenter 7.x和8.x.。基本所有证书相关的功能的涵盖了检查当前证书状态查看证书信息管理证书管理 SSL 信任锚点检查证书相关配置使用 VMCA 签发的证书重置所有证书ESXi主机上的证书操作重启服务生成证书报告vCert的下载与安装https://knowledge.broadcom.com/external/article?articleNumber385107前往以下官方KB文章拉到最底下下载文章附件的脚本vCert的上传VCSA的sftp服务默认路径和传统sftp的目录不一致需要在连接时指定连接目录为shell /usr/libexec/sftp-server上传文件之后# unzip -q vCert-6.0.1-20250516.zip# cd vCert-6.0.1-20250516# chmod x vCert# ./vCert.py检查当期证书情况使用1Check current certificate status检查当前证书状态Please enter a Single Sign-On administrator account[administratorvsphere.local]: Please provide the passwordforadministratorvsphere.local: Checking Certificate Status ----------------------------------------------------------------- Checking Machine SSL certificate VALID Checking Machine SSL CSR EXPIRED Checking Solution User certificates: machine VALID vsphere-webclient VALID vpxd VALID vpxd-extension VALID hvc VALID wcp VALID Checking SMS self-signed certificate VALID Checking>20DAYS Checking Authentication Proxy certificate VALID Checking Auto Deploy CA certificate NO SKID Checking BACKUP_STORE entries: __MACHINE_CERT20DAYS bkp___MACHINE_CERT VALID bkp_machine VALID bkp_vsphere-webclient VALID bkp_vpxd VALID bkp_vpxd-extension VALID bkp_hvc VALID bkp_wcp VALID Checking VMCA certificate VALID Checking STS Signing CertsSigning Chains ----------------------------------------------------------------- Checking TenantCredential-1: TenantCredential-1 signing certificate VALID TenantCredential-1 CA certificate VALID Checking TrustedCertChain-1: TrustedCertChain-1 signing certificate VALID TrustedCertChain-1 CA certificate VALID Checking CA certificatesinVMDir[by CN(id)]----------------------------------------------------------------- 535DBF560300215B3E650902AC69270C571C37CF VALID 63800FD081852C0C239E849C0EEB36711E6C8099 VALID 254B09F937A7DAA2C4D98E28C1C110292F50313D VALID 5CC0AE722A14C4A475AB6A97AA167A841B86EB4F VALID Checking CA certificatesinVECS[by Alias]----------------------------------------------------------------- 5f6bc5e2bb2c526b199643ed3403d42b961700d9 VALID f113363bc67cd81e62d0a5034139d635d5a4f8de VALID 190195ab99288668eef6846dbe0bb1df0ad6edf0 VALID e57a3f01f06bb6c0ded89f1709469af2bb1deaa0 VALID Checking VECS Stores ----------------------------------------------------------------- Checking status and permissionsforVECS stores: MACHINE_SSL_CERT OK TRUSTED_ROOTS OK TRUSTED_ROOT_CRLS OK machine OK vsphere-webclient OK vpxd OK vpxd-extension OK SMS OK APPLMGMT_PASSWORD OK >inVECS4Checking AD over LDAPS certificates ----------------------------------------------------------------- Domain: mtrhz.com Checking SSL Trust Anchors ----------------------------------------------------------------- l5dtvc.mtrhz.com VALID Checking vCenter Extension Thumbprints ----------------------------------------------------------------- com.vmware.rbd(vpxd-extension)MATCHES com.vmware.vcIntegrity(vpxd-extension)MATCHES com.vmware.vim.eam(vpxd-extension)MATCHES com.vmware.vmcam(Authentication Proxy)MATCHES com.vmware.vsan.health(Machine SSL)MATCHES Checking VMCA ConfigurationsinVCDB ----------------------------------------------------------------- vpxd.certmgmt.certs.cn.countryUSvpxd.certmgmt.certs.cn.emailvmcavmware.comvpxd.certmgmt.certs.cn.localityNamePalo Altovpxd.certmgmt.certs.cn.organizationalUnitNameVMware Engineeringvpxd.certmgmt.certs.cn.organizationNameVMwarevpxd.certmgmt.certs.cn.stateCaliforniavpxd.certmgmt.modevmcaChecking STS Server Configuration ----------------------------------------------------------------- Checking VECS store configuration OK Checking STS ConnectionStrings OK ------------------------!!!Attention!!!------------------------ - One ormorecertificates are expired - One ormorecertificates are expiring within30days - One ormoreCA certificates is missing the Subject Key ID extension可以观察到经过以上的操作仍然有三个证书提示过期其中Machine SSL CSR-这个证书是是在生成vCenter UI证书时自动生成的但是过期后不会自动删除需要手动删除data-encipherment-证书需要更新需要使用更新脚本__MACHINE_CERT-这个证书是在BACKUP_STORE中是更新后生成的备份证书可忽略。vCert涵盖了之前vsphere client和命令行传统管理方式续订证书注意之前在vsphere client和命令行传统管理方式续订的证书都可以在vCert中一并性续订**选择 ****6. Reset all certificates with VMCA-signed certificates****按照提示下一步续订即可 **删除Machine SSL CSR参考文档https://knowledge.broadcom.com/external/article/375304/delete-an-expired-csr-from-machine_ssl_c.html输入命令即可删除/usr/lib/vmware-vmafd/bin/vecs-cli entry delete--storeMACHINE_SSL_CERT--alias__MACHINE_CSR-y单独续订data-encipherment-证书参考文档https://knowledge.broadcom.com/external/article?articleNumber322249下载文档底部的fix脚本上传到VCSA服务器输入以下命令python fixcerts_3_2.py replace--certType>四、检查支持更新证书完成使用vCert的1. Check current certificate status选项验证当前证书情况即可
