VMware certificate renewal 8.x

• Pre-req before certificate renewal
  • Take a back up in vami page : 5480
  • Have all the Credentials ESXi/Vcenter/Vami
  • Tools required — Putty and WinSCP

Certificate renewal

• Login to ESXi host where vcenter is running and
• Power-off the vcenter
• Take a cold snapshot of the vcenter and power ON

Problem Statement : certifcate is due to expire e.g – Dec 2025

KB’s to follow

Follow the url

– https://knowledge.broadcom.com/external/article/385107/vcert-scripted-vcenter-expired-certific.html

Step :1 copy the vCert file via WinSCP to /tmp folder of vCenter

Step :2 Run the below commands

# unzip -q vCert-6.1.0-20250910.zip
# cd vCert-6.1.0-20250910
# chmod +x vCert.py
# ./vCert.py

Step 3: select option 3 in the below screenshot

Step 4: Select Option 1

Step 5: when prompted to restart vCenter services, Press Y

Step 6: If still the certificates are not renewed then follow the below KB

url — https://knowledge.broadcom.com/external/article/322249/replace-certificates-on-vcenter-server-u.html

Download the script and copy the script to the vCenter /tmp folder using winSCP

Step 7: Run the below commands

# chmod +x fixcerts_3_2.py
# ./fixcerts_3_2.py

#python fixcerts_3_2.py replace –certType all

Step 8:Verify all the validity dates of the certificate

Step 9: If data-encipherment is still not updated with new date, proceed with as per KB

url — https://knowledge.broadcom.com/external/article/312152

copy the script to the vCenter /tmp folder using winSCP

Step 10: Run the below commands

# chmod +x fixenchiperment_cert.sh
# ./fixenchiperment_cert.sh

Run the below commands

service-control –stop vpxd

/usr/sbin/vpxd -g

service-control –start vpxd

Step 11: If still certificate “SMS” field not updated with new date, we can proceed to delete “SMS” as its not required, proceed with below steps

url —https://knowledge.broadcom.com/external/article/312152

url–https://knowledge.broadcom.com/external/article/371774/certificate-status-alert-for-sms-store-c.html

run commands

1. Backup:
   /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store SMS –alias sms_self_signed
2. Delete:
   /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store SMS –alias sms_self_signed -y
   Example: /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store sms –alias sms_self_signed -y
3. Run the below command to refresh
   • /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Step 12: run fixcert.py again to verify SMS certificate has been romoved

#python fixcert.py replace –certType expired_only

all dates should be renewed now.

Step 13: login to vcenter page with [email protected]

Step 14: go to administration-> certificate maanagement, verify all the dates are renewed for Machine SSL and STS

verify all these certificates are renewed in GUI

Thanks for reading 🙂