WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Uncategorized / Automating SSL Certificate Regeneration in VCSA 5.1 & 5.5 (vCenter Server Appliance)

Automating SSL Certificate Regeneration in VCSA 5.1 & 5.5 (vCenter Server Appliance)

04.08.2013 by William Lam // 4 Comments

The VCSA (vCenter Server Appliance) provides a very simple way of regenerating the self-signed SSL Certificate by using the VAMI web management interface. This is extremely useful if you change the IP Address or hostname of your VCSA and want a proper SSL certificate with the correct common name, especially important if you are plan on using something like vCenter Orchestrator which validates this. To regenerate the SSL Certificate, you just need to login to the VAMI web interface by pointing your browser to the following address: https://[VC-IP]:5480 and under the Admin tab there is a option to "Toggle certificate setting".

After enabling this option, you will need to reboot your VCSA for the new SSL certificate to be generated. Once the VCSA is booted up, you will need to go back into the VAMI interface and disable this setting, else another SSL certificate will be generated upon the next reboot.

I was recently asked if it was possible to automate the SSL regeneration via the command-line without using the GUI which would be very useful for automated VCSA deployments. In looking into this, it turns out the process is quite simple and the present of a file within the VCSA will determine whether a certificate regeneration is required.

To enable certificate regeneration, run the following command which will "touch" (create) allow_regeneration file under /etc/vmware-vpx/ssl directory:

touch /etc/vmware-vpx/ssl/allow_regeneration

To disable certificate regeneration, you just need to remove the file after the VCSA has rebooted. Behind the scenes, this is what is happening when you are toggling the option in the VAMI interface and now you can automate this from the CLI without using the GUI!

UPDATE (09/04/13)

For the new VCSA 5.5, there is a new option that you can specify which will re-generate the SSL certificate and then delete the file without requiring manual intervention after reboot. You would still need to create the /etc/vmware-vpx/ssl/allow_regeneration file but if the contents of the file contains "only-once", it will delete the file automatically which is nice from an Automation perspective.

To re-generate the SSL certificate and automatically have it clean itself up, run the following command:

echo only-once > /etc/vmware-vpx/ssl/allow_regeneration

More from my site

  • How to recover VCSA 5.5 from an expired administrator account?
  • Administrator password expiration in new VCSA 5.5
  • Automating VCSA Network Configurations For Greenfield Deployments
  • Updates to VMDK partitions & disk resizing in VCSA 6.5
  • Automating post-configurations for both PSC & VCSA 6.0u1 using appliancesh

Categories // Uncategorized Tags // ssl certificate, vami, vcenter, vcsa, vcva

Comments

  1. Blake Garner (@trodemaster) says

    09/24/2015 at 4:33 pm

    Anybody know how to cleanly remove currently installed CA generated set of certs and get back to this self signed ones on vcva 5.5? Simply turning on cert regeneration and rebooting maintains the CA certs. I see the self signed ones being generated on boot but not installed.

    Reply
    • Joe says

      01/20/2017 at 11:59 am

      You ever get an answer?

      Reply
  2. Kevin says

    10/08/2015 at 5:16 pm

    This worked for us. I will say that you need to remove or .bak the original .crt files, leave the sms certs alone though...Thanks!

    Reply

Trackbacks

  1. vSphere 6 : upgrade d’une vCSA 5.5 vers vCSA 6.0 | vBlog.io says:
    03/12/2015 at 8:34 pm

    […] de Virtually Ghetto concernant la regénération automatique des certificats d'une vCSA, ICI. Vérifiez aussi que le FQDN de la machine est bien déclaré comme il se doit sur votre DNS etc. […]

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023
  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • NFS Multi-Connections in vSphere 8.0 Update 1 03/20/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023