Hello ,
Wish you all Happy and healthy New Year .
I m looking some assistance to re-new vCenter solution users certificates .As We have 4 PSC Servers in same SSO domain and 4 vCenters, each connecting to own psc. We have external PSC system.
Now we seen two of solution user certificates(Machine and vsphere-webclinet) are going to expire .So I would like to re-new these certificate, so need some guidelines/suggestion
Is there any order/sequence to follow to re-new certificate
All PSC First then 1 vCenter at a time?
One PSC And it’s vCenter and then move to next pair?
Below are KBs from VMware to re-new certificates
https://kb.vmware.com/s/article/2112283
As above KB is via CLI, However I found below blogs to re-new certificate via GUI
So is it fine to follow via GUI to re-new certificate and works fine ? or CLI is recommended and safe method to re-new certificate ?
Thanks in advance
Better to replace all certs so that then have same expiry date.
All PSC certs first (one at a time)>> Start with STS certs and then all other certs .
1. STS expiry check on PSC>>https://kb.vmware.com/s/article/79248
2. STS replace on PSC>> https://kb.vmware.com/s/article/76719
3. All other certs replace on PSC >> use option 8 >> https://kb.vmware.com/s/article/2112283
4. Then replace all certs on VC ; one at a time >> Option 8 -https://kb.vmware.com/s/article/2112283
Thanks Ajay for response
Do we need to re-new all certificates ? even few are not expired ?
Can’t we re-new only expired certificate ? such as solution user certificate .
Please can suggest if we can re-new only expired certificate via GUI and is it safe method and works ? should I use CLI and re-new certificate using Option 6 ? rather 8
Thanks
In my version of vCenter Server 6.7 U3+ I've had multiple issues with replacing the SSL Certs through the UI. This procedure wouldn't update all internal solution certs in the end (Which I only found out way later). I would suggest using the CLI procedure to replace the certs.