VMware Cloud Community
LandStmk
Contributor
Contributor
‎11-23-2022 03:56 AM

Change of certificate mode from Thumbprint to VMCA. Tips, Hints, Issues?

Hi,

Due to a "faulty configuration" in the past we are some sort of stuck in thumbprint certificate mode.
Base on Certificate Mode Switch Workflows documentation (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4D658104-1D80-441...) switching from thumbprint to VMCA mode requires to remove all ESXi hosts from the vCenter (in our case 30+ ESXi Hosts)

We already asked plenty of people, what impact this would have on our Environment especially if there is any loss of configuration like Backup Tags and so on, but nobody can give us a clear answer.
has anyone here already done that change from thumbprint to vmca and can give us any tips, hints or possible negative impact of this process?

 

best regards

 

0 Kudos
2 Replies
maksym007
Expert
Expert
‎11-23-2022 09:13 AM

First of all backup with a snapshot before implementing CA - is always needed. 

Second - substitute certificates via Certificate manager via ssh. 

Third from me personally - when I tried to add a new certificate it failed. In cluster, all my ESXi hosts were in status "Not Responding"

So before adding a new certificate disable HA and DRS. 

 

 

0 Kudos
LandStmk
Contributor
Contributor
‎11-24-2022 12:19 AM

thank you for your answer.
what about removing all ESXi hosts from vcenter? is that step really needed as described in the official documentation? we are most afraid of that step since removing all ESXi hosts from vcenter also means you cant vmotion the Vms away to other ESXi hosts in the meantime, since you need to remove all Hosts same time, which means you need to remove the ESXi hosts with the VMs on them. dont we also lose all configuration on all ESXi hosts even after re-adding them to vcenter afterwards?

0 Kudos