{"id":2772,"date":"2024-07-10T20:47:57","date_gmt":"2024-07-10T18:47:57","guid":{"rendered":"https:\/\/itsimple.info\/?p=2772"},"modified":"2025-10-22T10:49:34","modified_gmt":"2025-10-22T08:49:34","slug":"how-to-renew-vcenter-certificate-from-cli-through-ssh","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=2772","title":{"rendered":"How to renew Vcenter Certificate from CLI Through SSH"},"content":{"rendered":"\n<p>Vcenter have a certificate authority that usually create for 2 years, after that time you might get error connecting to the Vcenter both to production or to setting environments:<\/p>\n\n\n\n<p>https:\/\/your vcenter FQDN<\/p>\n\n\n\n<p>https:\/\/ your vcenter FQDN:5480<\/p>\n\n\n\n<p>To renew the certificates on the Vcenter server you first need to enable SSH through the console : <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"796\" height=\"616\" src=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-0.png\" alt=\"\" class=\"wp-image-2773\" srcset=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-0.png 796w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-0-300x232.png 300w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-0-768x594.png 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"795\" height=\"618\" data-id=\"2774\" src=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH.png\" alt=\"\" class=\"wp-image-2774\" srcset=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH.png 795w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-300x233.png 300w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-StartSSH-768x597.png 768w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/figure>\n<\/figure>\n\n\n\n<p>You can check the certificates validation with those command with putty :<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Verify certificate expiration date<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check the Single Sign-on Token Signing (STS) certificate, see&nbsp;<a href=\"https:\/\/knowledge.broadcom.com\/external\/article?articleNumber=318968\" target=\"_blank\" rel=\"noreferrer noopener\">Checking Expiration of STS Certificate on vCenter Server<\/a>.<\/li>\n\n\n\n<li>Run the below commands to see the status of the environments certificates:<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run this command on the vCenter Appliance:<\/li>\n<\/ul>\n\n\n\n<p><strong>for store in $(\/usr\/lib\/vmware-vmafd\/bin\/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo &#8220;[*] Store :&#8221; $store; \/usr\/lib\/vmware-vmafd\/bin\/vecs-cli entry list &#8211;store $store &#8211;text | grep -ie &#8220;Alias&#8221; -ie &#8220;Not After&#8221;;done;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run this command on the Windows vCenter Server:<\/li>\n<\/ul>\n\n\n\n<p><strong>$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables(&#8220;%VMWARE_CIS_HOME%&#8221;);foreach ($STORE in &amp; &#8220;$VCInstallHome\\vmafdd\\vecs-cli&#8221; store list){Write-host STORE: $STORE;&amp; &#8220;$VCInstallHome\\vmafdd\\vecs-cli&#8221; entry list &#8211;store $STORE &#8211;text | findstr \/C:&#8221;Alias&#8221; \/C:&#8221;Not After&#8221;}<\/strong><\/p>\n\n\n\n<p>Then you can connect to it from putty and start bash session then the Certificate Authority server with this command :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/lib\/vmware-vmca\/bin\/certificate-manager<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"945\" src=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate.png\" alt=\"\" class=\"wp-image-2775\" srcset=\"https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate.png 799w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-254x300.png 254w, https:\/\/itsimple.info\/wp-content\/uploads\/2024\/07\/Vmware-ReplaceCertificate-768x908.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><\/figure>\n\n\n\n<p>Option 3 should create new updated certificate <\/p>\n\n\n\n<p>Option 4 will create new CA certificate and you will have to enter some details about the organization and FQDN, in the end it will replace all the certificate on the server and restart the services as well .<\/p>\n\n\n\n<p>To download the certificate chain from the vcenter in order to install them on windows or some other place , you can download them from :<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">https:\/\/your vcenter FQDN\/certs\/download.zip<br><\/pre>\n\n\n\n<p>Follow those procedures to renew all certificates . The vcenter should comes back to life allowing logons again .<\/p>\n\n\n\n<p>You can also try working with ready script by Broadcom :<\/p>\n\n\n\n<p><a href=\"https:\/\/knowledge.broadcom.com\/external\/article\/322249\/replace-certificates-on-vcenter-server-u.html\"><strong>Replace certificates on vCenter server using the Fixcerts script<\/strong><\/a><\/p>\n\n\n\n<figure class=\"wp-block-pullquote has-vivid-green-cyan-color has-text-color has-link-color has-large-font-size wp-elements-913a8d28a4fab8f1d7b7023910a23e04\"><blockquote><p>Good Luck<\/p><\/blockquote><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Vcenter have a certificate authority that usually create for 2 years, after that time you might get error connecting to the Vcenter both to production or to setting environments: https:\/\/your vcenter FQDN https:\/\/ your vcenter FQDN:5480 To renew the certificates on the Vcenter server you first need to enable SSH through the console : You [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,12,18,19],"tags":[],"class_list":["post-2772","post","type-post","status-publish","format-standard","hentry","category-tech","category-tutorials","category-virtualization","category-vmware"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2772"}],"version-history":[{"count":2,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2772\/revisions"}],"predecessor-version":[{"id":3012,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/2772\/revisions\/3012"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}