VMware Cloud Community
atomiX201110141
Contributor
Contributor
‎02-10-2021 08:16 AM

Internal Root CA certificate not updating

I'm running into an odd issue that I'm not exactly sure how to handle.

Background:

We are running a standalone VCSA instance (v6.7.0.46000) with 2 connected ESXi 6.7 hosts. Everything is running normally.

For internal/intranet certificates, we use a Windows-based root CA. vCenter is currently using one of these internal certificates and has been for a couple years now. I had initially replaced the self-signed machine cert using "/usr/lib/vmware-vmca/bin/certificate-manager" (Option 1 - Replace Machine SSL certificate with Custom Certificate).

Current Situation:

Our internal root CA had a certificate that was due to expire at the end of this month (Feb 2021) so a being prudent, I renewed the root CA certificate a couple of months back and all has been working fine (new expiration in 2025) but vCenter still being on the old machine cert and root CA cert (both expiring at the end of this month).

I generated a new CSR on VCSA, got it signed by our internal root CA using the new CA cert (expiring in 2025). I proceeded to update the machine certificate once again using certificate-manager (Option 1 - Replace Machine SSL certificate with Custom Certificate). This process worked correctly and now when logging into the vSphere Client web UI, I see the new updated SSL certificate.

My problem here is that I was still getting an alert notification from vCenter/VCSA that a certificate was due to expire soon so I looked manually through all stores using "vecs-cli" and found only one that was close to expiring and it was the old root CA certificate, visible using "/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text".

I know I used the correct CA certificate file when updating the machine certificate but for some reason, it updated the machine cert but not the CA cert. I can also confirm this using the vSphere client under Administration > Certificates > Certificate Management where it still shows the old root CA cert with an expiration of Feb 2021 instead of in 2025.

I've tried to manually import the new CA cert using the "Add" button but nothing happens as well as with "/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /ssl_cert/ca.pem". Success is reported but the 2021 certificate is still being shown.

Should I manually remove the old cert before adding the new one? I'm afraid this might break something. Is the new certificate stored somewhere that I can't see where it will automatically take over when the old one expires?

Thanks

 

0 Kudos
0 Replies