vCenter 替换 SSL 到期/过期证书

版本

VMware vCenter Server 7.0.0.10100

更新 SSL 证书

验证证书过期日期

1. 检查单点登录令牌签名 （STS） 证书，请参见 在 vCenter Server 上检查过期的 STS 证书。
2. 运行以下命令以查看环境证书的状态"：

• 在 vCenter Appliance 中运行以下命令：

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

• 在 Windows vCenter Server 中运行：

$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in &"$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;&"$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
 

certificate-manager

• 对于具有嵌入式 PSC 或外部 PSC 的 vCenter，在链接节点系统中执行以下操作一次：根据 How to use vSphere Certificate Manager to Replace SSL Certificates运行 certificate-manager，并使用选项 4 生成新的根证书并替换所有证书。
• 在链接系统中的所有剩余 vCenter 和 PSC 上，执行以下操作：

1. 运行 certificate-manager 选项 3 以替换计算机 SSL 证书
2. 运行 certificate-manager 选项 6 以替换解决方案用户证书

登录到嵌入式部署或 vCenter Server 上的 Platform Services Controller，然后启动 vSphere Certificate Manager。

• 选择选项 4，Regenerate a new VMCA Root Certificate and replace all certificates。 
• 对提示做出响应。 

Certificate Manager 将基于您输入的内容生成新的 VMCA 根证书并替换运行 Certificate Manager 的系统上的所有证书。如果您使用嵌入式部署，则 Certificate Manager 重新启动服务后，替换过程便完成了。

• 如果您的环境包含外部 Platform Services Controller，您必须在每个 vCenter Server 系统上替换证书。 
• 登录到 vCenter Server 系统。 
• 停止所有服务，启动处理证书创建、传播和存储的服务。 

服务名称在 Windows 和 vCenter Server Appliance 上有所不同。 

Windows 

service-control --stop --all

service-control --start VMWareAfdService

service-control --start VMWareDirectoryService

service-control --start VMWareCertificateService

vCenter Server Appliance 

service-control --stop --all

service-control --start vmafdd

service-control --start vmdird

service-control --start vmcad

• 重新启动所有服务 ： service-control --start --all
• 要替换计算机 SSL 证书，请使用选项 3 Replace Machine SSL certificate with VMCA Certificate运行 vSphere Certificate Manager。 
• 要替换解决方案用户许可证，请使用选项 6 Replace Solution user certificates with VMCA certificates运行Certificate Manager。 

提示：做操作之前先给vCenter来个快照，做完没有问题就删掉快照，有问题则用快照回退。

Last login: Thu Dec  5 05:43:48 2024 from 10.100.100.195
root@localhost [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager 
                _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _  
               |                                                                     | 
               |      *** Welcome to the vSphere 6.8 Certificate Manager  ***        | 
               |                                                                     | 
               |                   -- Select Operation --                            | 
               |                                                                     | 
               |      1. Replace Machine SSL certificate with Custom Certificate     | 
               |                                                                     | 
               |      2. Replace VMCA Root certificate with Custom Signing           | 
               |         Certificate and replace all Certificates                    | 
               |                                                                     | 
               |      3. Replace Machine SSL certificate with VMCA Certificate       | 
               |                                                                     | 
               |      4. Regenerate a new VMCA Root Certificate and                  | 
               |         replace all certificates                                    | 
               |                                                                     | 
               |      5. Replace Solution user certificates with                     | 
               |         Custom Certificate                                          | 
               |         NOTE: Solution user certs will be deprecated in a future    | 
               |         release of vCenter. Refer to release notes for more details.| 
               |                                                                     | 
               |      6. Replace Solution user certificates with VMCA certificates   | 
               |                                                                     | 
               |      7. Revert last performed operation by re-publishing old        | 
               |         certificates                                                | 
               |                                                                     | 
               |      8. Reset all Certificates                                      | 
               |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| 
Note : Use Ctrl-D to exit. 
Option[1 to 8]: 4 
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y 

Please provide valid SSO and VC privileged user credential to perform certificate operations. 
Enter username [Administrator@vsphere.local]: 
Enter password: 
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y 

Press Enter key to skip optional parameters or use Previous value. 

Enter proper value for 'Country' [Previous value : US] :  

Enter proper value for 'Name' [Previous value : CA] :  

Enter proper value for 'Organization' [Previous value : VMware] :  

Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] :  

Enter proper value for 'State' [Previous value : California] :  

Enter proper value for 'Locality' [Previous value : Palo Alto] :  

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.100.100.125

Enter proper value for 'Email' [Previous value : email@acme.com] :  

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : 10.100.100.125

Enter proper value for VMCA 'Name' : 

VMCA Name should not be empty, please enter valid VMCA Name. 

Enter proper value for VMCA 'Name' :localhost 

You are going to regenerate Root Certificate and all other certificates using VMCA 
Continue operation : Option[Y/N] ? : y 
Get site nameCompleted [Replacing Machine SSL Cert...]                   
default-site 
Lookup all services 
Get service default-site:eef0f0dd-92a7-491a-adc4-8754899d8f03 
Don't update service default-site:eef0f0dd-92a7-491a-adc4-8754899d8f03 
Get service default-site:9dcbe329-7f7f-435f-9da5-82c2ffa33497 
Don't update service default-site:9dcbe329-7f7f-435f-9da5-82c2ffa33497 
Get service default-site:4a9f07a4-65c1-4454-ae91-23c2e3eec55e 
Don't update service default-site:4a9f07a4-65c1-4454-ae91-23c2e3eec55e 
Get service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8_authz 
Don't update service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8_authz 
Get service 0542f829-3ba1-49b0-aa2f-8bb923133ebb 
Don't update service 0542f829-3ba1-49b0-aa2f-8bb923133ebb 
Get service 27c4679e-182c-4950-8275-97c8e801b557 
Don't update service 27c4679e-182c-4950-8275-97c8e801b557 
Get service 5cbf7ae9-addb-4972-b9f5-f46839ac5888 
Don't update service 5cbf7ae9-addb-4972-b9f5-f46839ac5888 
Get service d03cd0ce-0a8d-4a42-9ad5-82eb2f8a3f30 
Don't update service d03cd0ce-0a8d-4a42-9ad5-82eb2f8a3f30 
Get service ab2f22f9-6cd1-4fcb-9836-4567eb70f1d2 
Don't update service ab2f22f9-6cd1-4fcb-9836-4567eb70f1d2 
Get service 6c079282-bcf4-4248-929a-cfff03be2fb7 
Don't update service 6c079282-bcf4-4248-929a-cfff03be2fb7 
Get service d805c741-e70b-48a2-8fb3-c23f615b2eb2 
Don't update service d805c741-e70b-48a2-8fb3-c23f615b2eb2 
Get service d65fb0b4-e5b3-46d3-8992-b4d1f77380c2 
Don't update service d65fb0b4-e5b3-46d3-8992-b4d1f77380c2 
Get service fe68b963-10d2-4e72-aaea-f6d99454dbb0 
Don't update service fe68b963-10d2-4e72-aaea-f6d99454dbb0 
Get service cf1770f7-1e8a-4eb8-b101-741f6b4a243b 
Don't update service cf1770f7-1e8a-4eb8-b101-741f6b4a243b 
Get service 3c404858-e711-4cad-97ab-a47287c86668 
Don't update service 3c404858-e711-4cad-97ab-a47287c86668 
Get service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.vsphere.client 
Don't update service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.vsphere.client 
Get service 65ee53a8-2314-432e-8f73-d62ba603baa9 
Don't update service 65ee53a8-2314-432e-8f73-d62ba603baa9 
Get service 9bb320b3-e846-43a2-b532-bb15bc5aef85 
Don't update service 9bb320b3-e846-43a2-b532-bb15bc5aef85 
Get service 00407dce-2108-4e76-a7cc-89240c158d10 
Don't update service 00407dce-2108-4e76-a7cc-89240c158d10 
Get service 6624c401-3f67-44d2-9db4-2ee45829c3cb 
Don't update service 6624c401-3f67-44d2-9db4-2ee45829c3cb 
Get service 5d1446f4-0d83-4d11-8299-9e4c32cbd079 
Don't update service 5d1446f4-0d83-4d11-8299-9e4c32cbd079 
Get service 4b04ed59-4fec-4579-9ef2-cb84664f265a 
Don't update service 4b04ed59-4fec-4579-9ef2-cb84664f265a 
Get service 59b58ae1-bfdd-42a9-b9b6-92064457092a 
Don't update service 59b58ae1-bfdd-42a9-b9b6-92064457092a 
Get service 49ca1b65-c57d-4266-a5fd-d54cc9db4452 
Don't update service 49ca1b65-c57d-4266-a5fd-d54cc9db4452 
Get service ddda2e92-826e-4826-ae6e-7685272dd560 
Don't update service ddda2e92-826e-4826-ae6e-7685272dd560 
Get service 6cd9f9fe-c760-4ea7-a8ed-d223e2d3158b 
Don't update service 6cd9f9fe-c760-4ea7-a8ed-d223e2d3158b 
Get service f615506b-8fe1-4859-a79c-9463ecd33ea7 
Don't update service f615506b-8fe1-4859-a79c-9463ecd33ea7 
Get service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8 
Don't update service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8 
Get service 676b7458-80cf-4f2f-9284-018f429e262e 
Don't update service 676b7458-80cf-4f2f-9284-018f429e262e 
Get service 36c65e74-8889-4bd8-98d3-f6d399826244 
Don't update service 36c65e74-8889-4bd8-98d3-f6d399826244 
Get service 69258592-77f7-463e-b671-9b26251385db 
Don't update service 69258592-77f7-463e-b671-9b26251385db 
Get service fa718594-beb8-4833-8378-509e44ec5b3c 
Don't update service fa718594-beb8-4833-8378-509e44ec5b3c 
Get service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8_kv 
Don't update service ebe27b6d-9c03-47d1-bdd0-f00176de2ec8_kv 
Get service ff0f494e-cea5-48c4-a672-9fd17fe56cc9 
Don't update service ff0f494e-cea5-48c4-a672-9fd17fe56cc9 
Get service 405bd201-8398-4692-8dc0-4cad2c724708 
Don't update service 405bd201-8398-4692-8dc0-4cad2c724708 
Get service 32c0466f-3183-488e-8c00-a0c76be968ad 
Don't update service 32c0466f-3183-488e-8c00-a0c76be968ad 
Get service 48e106ef-4081-40b0-8fda-014e92919ac0 
Don't update service 48e106ef-4081-40b0-8fda-014e92919ac0 
Get service 834a4c2c-9496-486a-aef0-cee54fa04668 
Don't update service 834a4c2c-9496-486a-aef0-cee54fa04668 
Get service f7c118f1-5010-4f78-b945-2e3bdf383817 
Don't update service f7c118f1-5010-4f78-b945-2e3bdf383817 
Get service bb4ef474-27ab-4c75-9fb8-6d5c016aaa7e 
Don't update service bb4ef474-27ab-4c75-9fb8-6d5c016aaa7e 
Get service 1c94572c-f0e7-4b12-9724-20c533d4320d 
Don't update service 1c94572c-f0e7-4b12-9724-20c533d4320d 
Get service 63e44f72-c0f2-4bc1-b2a0-9c66ce0ea5b0 
Don't update service 63e44f72-c0f2-4bc1-b2a0-9c66ce0ea5b0 
Get service 2aa5abdc-7e49-4eb8-9729-071921231949 
Don't update service 2aa5abdc-7e49-4eb8-9729-071921231949 
Get service a4c7c156-e62d-4adb-97c1-17ef77ac1b56 
Don't update service a4c7c156-e62d-4adb-97c1-17ef77ac1b56 
Get service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.vcenter.wcp 
Don't update service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.vcenter.wcp 
Get service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.lcm.client 
Don't update service 6c079282-bcf4-4248-929a-cfff03be2fb7_com.vmware.lcm.client 
Updated 0 service(s) 
Status : 60% Completed [Replace vpxd-extension Cert...]                      
2024-12-05T05:57:03.017Z  Updating certificate for "com.vmware.vim.eam" extension 


2024-12-05T05:57:03.382Z  Updating certificate for "com.vmware.rbd" extension 


2024-12-05T05:57:03.724Z  Updating certificate for "com.vmware.imagebuilder" extension 

Status : 100% Completed [stopping services...] 

root@localhost [ ~ ]#