At a customer we got the notification in the vCenter that the certificate was almost expiring.

However, the vCenter with version 6.7 was part of a vCF Deployment.
Almost all the certificates are being managed by vCF, so when we checked the status, it didn’t seem that anything was expiring soon.

However, the SSO STS Certificate, which are standard issued by VMware and being managed by the vCenter / PSC itself, not by the SDDC-Manager of vCF. The only way to check those certificates is in the vCenter self and by using the flash client…

There is also another way to check the certificate and that is through running a python script on the vCenter / PSC:

Which you can read more about in a separate blogpost that I wrote here.

Looking further into it, VMware released two kb articles that explains the reason of the expiration and how to fix this. Which in summary just says that the expiration of the SSO certificate in vCenter 6.5/6.7 has a standard expiration of 2 years after the deployment. Which is quite quickly for most people. In this procedure we’re going to renew the certificate right before it is about the expire.

In case the certificate expires, you’ll probably be kicked out the webgui when you are logged in through SSO and you need to fix the issue to get back in. Luckily most other services will not be effected, but it is not a fun situation to be in.

In our case we had 2 external PSCs, with psc1 being the main component that manages the certificate. PSC2 however also uses the same SSL certificate, and will replicate it once we’ve updated it. However do check afterwards if this is also the case. We downloaded the script in this article and uploaded it with WinSCP. If you have troubles with connecting to the PSC with WinSCP then check out this article of me.

The procedure.

In summary we are going to do this:

1. Snapshot every PSC & vCenter that is part of the same SSO domain
   1. *TIP: Note down on which hosts the vCenters & PSCs are located. In case something goes wrong, you know on which host you should connect.
2. Upload the script to the PSC/vCenter that is managing the SSL Certificate
3. Run the Script
4. Stop & Start the service “service-controll” on each PSC & vCenter
   1. In our case we first did the PSCs and then the vCenters.
5. Check if everything is working and if the SSL Expiration Date has been updated
6. Delete the snapshots
7. *Update: Besides the Renewal of the STS Certs on the PSCs, there is a big chance that you also have to renew the Machine Certificates on all the PSCs and vCenters. Since certain builds from 6.5, have a similair issue with the machine certificates. Which is that they will expire after 2 years after deployment. The Scripts above don’t check the machine certifcates, and this is also a total different procedure. For more info, check this separate blogpost of me about it here, once you’re done with this.

1. Snapshot.
So first create a Snapshot on every PSC and vCenter that is part of the same SSO domain. Also note down the host location of eacht vCenter & PSC that is effected.

2. Download & Upload the script

Downloaded the script in this article and uploaded it with WinSCP or any other preferred tool. Preferably in the /tmp folder.

3. Run the Script

Navigate to the folder (/tmp) and run the script of the kb article. First change the rights and make the file executable with the command:
chmod +x fixsts.sh

Before you run the script, make sure you have the password for the administrator@vsphere.local. Run the script with the command:

./fixsts.sh

This will automatically recreate a new certificate.

4. Stop & Start the service “service-controll”

Run the command:

service-control –stop –all

Once it has stopped all the necessary services.
Start it again with:

service-control –start –all

Do this for every PSC and vCenter in the same SSO domain.

5. Check the SSL Expiration Date

If everything has gone well your expiration date should be updated.

Check also if your 2^nd psc has replicated the new SSL certificate.
After that you’re done. Don’t forgot to delete the snapshots if they are not needed anymore.

Hope that this helped.

*Update: Besides the Renewal of the STS Certs on the PSCs, there is a big chance that you also have to renew the Machine Certificates on all the PSCs and vCenters. Since certain builds from 6.5, have a similair issue with the machine certificates. Which is that they will expire after 2 years after deployment. The Scripts above don’t check the machine certifcates, and this is also a total different procedure. For more info, check this separate blogpost of me about it here, once you’re done with this.

Samir of vSAM.pro

Samir is the author of vSAM.Pro & a Life enthusiast who works as a consultant in the field of IT. With a great passion for Tech & Personal Development, he loves to help people with their problems, but also inspire them with a positive outlook on life.

Besides that, he is also a big Sport & Music junky that loves to spend a big chunk of his time on producing music or physically stretching himself.