Security vSphere / vCenter

vCenter Certificate Expiration “Fun”

So, I went to login to my #HomeLab vCenter this morning and I was presented with this *LOVELY* error message:

There was no way around this one. No option to pass go, accept the risk and just continue. After going through Browser Bingo and getting the same error (vCenter implements HSTS which prevents bypassing things like this), I took a closer look at the original error. When I clicked on the “NET:ERR_CERT_DATE_INVALID” I saw more information:

Well crap…that explains it. My certificate expired yesterday. I clicked on the address bar in the browser to see the full certificate information and saw this:

So, off I go to try and remember how to re-issue the vCenter certificate without having to do a full reinstall. If I had caught this even yesterday, the process would have been much simpler. You just log into the vCenter server, navigate to “Administration” and then “Certificate Management”. From here, all you have to do is select the expiring certificate and click “Actions” then “Renew” as shown here:

The UI will walk through the process and get your certificate renewed right away. Unfortunately, if you’re not watching the expiration dates and the certificate expires, the process is a little harder. I’ll walk you through it in the next couple steps.

Here is a quick diagram to show how I have designed my #HomeLab PKI environment:

Although most of my servers use my Online Microsoft Certificate Authority, Darkhonor CA-1, vCenter and my ESXi hosts all use the embedded VMware Certificate Authority that is setup as an Intermediate Certificate Authority in my environment. It’s important to have a clear understanding of where your certificates come from and how the chain of trust is managed. It’s worth taking the time to create a simple diagram like the one shown above if you don’t have a clear idea or plan now.

So, as you can see in my PKI Architecture, the vCenter certificate comes from the Darkhonor VMCA CA. Since I’m unable to use the vCenter web interface to renew the certificate, I have to use the Certificate Manager command line tool. First off, I need to SSH into the vCenter server. You will need to use the [email protected] (or whatever your local administrator account is for your PSC). In my case, I’m using the root account. You will need to get a shell to execute the certificate-manager command. Type the following to start the tool:

[email protected] [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager

It will bring up the tool as shown here:

From the options shown, I chose option “3”: I’m replacing the Machine SSL certificate using the Intermediate CA, Darkhonor VMCA (from the diagram above). If you are signing all of your certificates with an external authority and not using the VMCA tool, you would choose option “1”. Once you make your selection, you will be prompted for an account with the ability to perform certificate operations in your environment. Since this is my #HomeLab, I just use the [email protected] account. Once complete, the tool will generate the new certificate, sign it with the VMCA certificate, apply it to the correct services, and restart the services. This will take a while to do, so be patient. You will see something along these lines as it progresses:

If everything goes well, all of the vCenter services should be restarted with the new certificate and you will see the a message similar to the following:

Just to make sure everything works well, I opened my trusty browser and sure enough, I’m able to get to the login screen again for vCenter. I check the certificate in the browser and see that it’s been re-issued by the “Darkhonor VMCA” certificate authority and is valid for another 2 years…just long enough for me to forget about it again.

That’s about it. The process isn’t too difficult, but it can be daunting if you’re not overly familiar with the Command Line Interface tools. Share if you find this helpful. Bookmark it if you ever need it in the future!

Leave a Reply

%d bloggers like this: