After you replace the machine SSL certificates, you can replace all solution user certificates. Solution user certificates must be valid, that is, not expired, but none of the other information in the certificate is used by the certificate infrastructure.

You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.

Note

When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

Be prepared to stop all services and start the services that handle certificate propagation and storage.

1

Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and rename the file, for example, to sol_usr.cfg.

You can name the certificates from the command line as part of generation. The other information is not needed for solution users. If you leave the default information, the certificates that are generated are potentially confusing.

2

Generate a public/private key file pair and a certificate for each solution user, passing in the configuration file that you just customized.

For example:

certool --genkey --privkey=vpxd.priv --pubkey=vpxd.pub 
certool --gencert --privkey=vpxd.priv --cert vpxd.crt --Name=VPXD_1 --config sol_usr.cfg
3

Find the name for each solution user.

dir-cli service list 

You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows.

C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli service list
Enter password for administrator@vsphere.local:
1. machine-1d364500-4b45-11e4-96c2-020011c98db3
2. vpxd-1d364500-4b45-11e4-96c2-020011c98db3
3. vpxd-extension-1d364500-4b45-11e4-96c2-020011c98db3
4. vsphere-webclient-1d364500-4b45-11e4-96c2-020011c98db3

When you list solution user certificates in multi-node deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

4

Stop all services and start the services that handle certificate creation, propagation, and storage.

The service names differ on Windows and the vCenter Server Appliance.

Windows

service-control --stop --all
service-control --start VMWareAfdService
service-control --start VMWareDirectoryService
service-control --start VMWareCertificateService

vCenter Server Appliance

service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
5

For each solution user, replace the existing certificate in vmdir and then in VECS.

The following example shows how to replace the certificates for the vpxd service.

dir-cli service update --name <vpxd-xxxx-xxx-7c7b769cd9f4> --cert ./vpxd.crt
vecs-cli entry delete --store vpxd --alias vpxd
vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv

Note

Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the certificate in vmdir.

6

Restart all services.


service-control --start --all
1

Generate a public/private key pair for each solution user. That includes a pair for the machine solution user on each Platform Services Controller and each management node and a pair for each additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node.

a

Generate a key pair for the machine solution user of an embedded deployment or for the machine solution user of the Platform Services Controller.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=machine-key.priv --pubkey=machine-key.pub
b

(Optional) For deployments with an external Platform Services Controller, generate a key pair for the machine solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=machine-key.priv --pubkey=machine-key.pub
c

Generate a key pair for the vpxd solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-key.priv --pubkey=vpxd-key.pub
d

Generate a key pair for the vpxd-extension solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-extension-key.priv --pubkey=vpxd-extension-key.pub
e

Generate a key pair for the vsphere-webclient solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vsphere-webclient-key.priv --pubkey=vsphere-webclient-key.pub
2

Generate solution user certificates that are signed by the new VMCA root certificate for the machine solution user on each Platform Services Controller and each management node and for each additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node.

Note

The --Name parameter has to be unique. Including the name of the solution user store, for example vpxd or vpxd-extension makes it easy to see which certificate maps to which solution user.

a

Run the following command on the Platform Services Controller node to generate a solution user certificate for the machine solution user on that node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-machine.crt --privkey=machine-key.priv --Name=machine 
b

Generate a certificate for the machine solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-machine.crt --privkey=machine-key.priv --Name=machine --server=<psc-ip-or-fqdn>
c

Generate a certificate for the vpxd solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxd.crt --privkey=vpxd-key.priv --Name=vpxd --server=<psc-ip-or-fqdn>
d

Generate a certificate for the vpxd-extensions solution user on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxd-extension.crt --privkey=vpxd-extension-key.priv --Name=vpxd-extension --server=<psc-ip-or-fqdn>
e

Generate a certificate for the vsphere-webclient solution user on each management node by running the following command.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vsphere-webclient.crt --privkey=vsphere-webclient-key.priv --Name=vsphere-webclient --server=<psc-ip-or-fqdn>
3

Replace the solution user certificates in VECS with the new solution user certificates.

Note

The --store and --alias parameters have to exactly match the default names for services.

a

On the Platform Services Controller node, run the following command to replace the machine solution user certificate:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store machine --alias machine
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store machine --alias machine --cert new-machine.crt --key machine-key.priv
b

Replace the machine solution user certificate on each management node:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store machine --alias machine
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store machine --alias machine --cert new-machine-vc.crt --key machine-vc-key.priv
c

Replace the vpxd solution user certificate on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vpxd --alias vpxd
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vpxd --alias vpxd --cert new-vpxd.crt --key vpxd-key.priv
d

Replace the vpxd-extension solution user certificate on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vpxd-extension --alias vpxd-extension
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vpxd-extension --alias vpxd-extension --cert new-vpxd-extension.crt --key vpxd-extension-key.priv
e

Replace the vsphere-webclient solution user certificate on each management node.

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vsphere-webclient --alias vsphere-webclient
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vsphere-webclient --alias vsphere-webclient --cert new-vsphere-webclient.crt --key vsphere-webclient-key.priv
4

Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted for a vCenter Single Sign-On administrator password.

a

Run dir-cli service list to get the unique service ID suffix for each solution user. You can run this command on a Platform Services Controller or a vCenter Server system.

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli>dir-cli service list
output:
1. machine-29a45d00-60a7-11e4-96ff-00505689639a
2. machine-6fd7f140-60a9-11e4-9e28-005056895a69
3. vpxd-6fd7f140-60a9-11e4-9e28-005056895a69
4. vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69
5. vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69

Note

When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

b

Replace the machine certificate in vmdir on the Platform Services Controller. For example, if machine-29a45d00-60a7-11e4-96ff-00505689639a is the machine solution user on the Platform Services Controller, run this command:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name machine-29a45d00-60a7-11e4-96ff-00505689639a --cert new-machine-1.crt
c

Replace the machine certificate in vmdir on each management node. For example, if machine-6fd7f140-60a9-11e4-9e28-005056895a69 is the machine solution user on the vCenter Server, run this command:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name machine-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-machine-2.crt
d

Replace the vpxd solution user certificate in vmdir on each management node. For example, if vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd solution user ID, run this command:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd.crt
e

Replace the vpxd-extension solution user certificate in vmdir on each management node. For example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension solution user ID, run this command:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd-extension.crt
f

Replace the vsphere-webclient solution user certificate on each management node. For example, if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution user ID, run this command:

C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vsphere-webclient.crt

Restart all services on each Platform Services Controller node and each management node.