- Pre-req before certificate renewal
- Take a back up in vami page : 5480
- Have all the Credentials ESXi/Vcenter/Vami
- Tools required — Putty and WinSCP
Certificate renewal
- Login to ESXi host where vcenter is running and
- Power-off the vcenter
- Take a cold snapshot of the vcenter and power ON
Problem Statement : certifcate is due to expire e.g – Dec 2025
KB’s to follow
Follow the url
– https://knowledge.broadcom.com/external/article/385107/vcert-scripted-vcenter-expired-certific.html
Step :1 copy the vCert file via WinSCP to /tmp folder of vCenter
Step :2 Run the below commands
# unzip -q vCert-6.1.0-20250910.zip
# cd vCert-6.1.0-20250910
# chmod +x vCert.py
# ./vCert.py
Step 3: select option 3 in the below screenshot
Step 4: Select Option 1
Step 5: when prompted to restart vCenter services, Press Y
Step 6: If still the certificates are not renewed then follow the below KB
url — https://knowledge.broadcom.com/external/article/322249/replace-certificates-on-vcenter-server-u.html
Download the script and copy the script to the vCenter /tmp folder using winSCP
Step 7: Run the below commands
# chmod +x fixcerts_3_2.py
# ./fixcerts_3_2.py
#python fixcerts_3_2.py replace –certType all
Step 8:Verify all the validity dates of the certificate
Step 9: If data-encipherment is still not updated with new date, proceed with as per KB
url — https://knowledge.broadcom.com/external/article/312152
copy the script to the vCenter /tmp folder using winSCP
Step 10: Run the below commands
# chmod +x fixenchiperment_cert.sh
# ./fixenchiperment_cert.sh
Run the below commands
service-control –stop vpxd
/usr/sbin/vpxd -g
service-control –start vpxd
Step 11: If still certificate “SMS” field not updated with new date, we can proceed to delete “SMS” as its not required, proceed with below steps
url —https://knowledge.broadcom.com/external/article/312152
url–https://knowledge.broadcom.com/external/article/371774/certificate-status-alert-for-sms-store-c.html
run commands
- Backup:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store SMS –alias sms_self_signed - Delete:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store SMS –alias sms_self_signed -y
Example: /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store sms –alias sms_self_signed -y - Run the below command to refresh
- /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
Step 12: run fixcert.py again to verify SMS certificate has been romoved
#python fixcert.py replace –certType expired_only
all dates should be renewed now.
Step 13: login to vcenter page with [email protected]
Step 14: go to administration-> certificate maanagement, verify all the dates are renewed for Machine SSL and STS
verify all these certificates are renewed in GUI
Thanks for reading 🙂