I recently had a customer inquiry where they were interested in automating the certificate replacement for vCenter Solution Users when using the /usr/lib/vmware-vmca/bin/certificate-manager CLI, which is found within the vCenter Server Appliance (VCSA).
Note: One important thing to understand is that with vSphere 7.0, the vCenter Solution User certificates have been deprecated and the ability to replace the internal certificates will be removed in a future release as mentioned in the referenced vSphere blog post.
VMware does not recommend replacing the internal vCenter Solution User certificates, but for users who may have an organization requirement to do so, the operation is performed interactively using the certificate-manager CLI as mentioned earlier.
By design, the certificate-manager is meant to be consumed interactively and any non-interactive or automated use cases is not possible ...
With that said, there are a couple of options for those looking to automate some of the certificate replacement workflows, which can be quite tedious.
Option 1:
While the certificate-manager CLI does not offer a non-interactive mode, it actually is a simplified wrapper on top of a number of certificate related utilities. In fact, all verbose commands that it used to perform a given certificate workflow is all logged in /var/log/vmware/vmcad/certificate-manager.log and you can view all the commands and their arguments by looking at the "Running command" entries.
After manually completing a specific certificate workflow using the certificate-manager CLI interactively, you can then run the following command to understand how that workflow can be automated:
grep 'Running command' /var/log/vmware/vmcad/certificate-manager.log
While this would allow a user to automate a given certificate-manager workflow, it is certainly not trivial and does require testing and validation before you might consider rolling this out within your environment. This is why I would recommend Option 2, if it is applicable.
Option 2:
Alternatively, you can use this simple Python script provided in VMware KB 90561, which can be used to replace the vCenter Solution User certificates and best of all, it can be automated. Now, if you need to use your own custom signed certificates for the vCenter Solution User certificates, then you will need to go with Option 1 as Option 2 only supports the deefault VMware Certificate Authority (VMCA) self-signed certificates.
The other nice thing about using the Python script is that it allows you to specify custom certificate validity and key sizes, which the certificate-manager utility does not support.
Here is an example of replacing all the vCenter Solution User certificates using a non-interactive mode and also changing the validity and key sizes:
python fixcerts.py replace --certType solutionusers --serviceRestart True --silent True --password "VMware1!" --validityDays 1460 --keySize 4096
One thing you will notice is that there is no output from the script while it is running, everything that is going on is logged in fixcerts.log, which is stored in the working directory and you may want to open up a second SSH session to the VCSA and tail the log file for progress.
At the end of the day, if you need to replace the vCenter Solution User certificates, both option provides the same outcome and just depends if you are using the default VMCA managed certificates or if you are using your own custom ones.
RGB says
Could you do an article about using the vCert tool that support provides at time? It combines all certificate management utilities into one! I love it.
luhnyclimbr says
No doubt I prefer to send vCert tool to customers over using the built in tool. I wish we could make that public. I really like the report it generates and saves so much time in troubleshooting a cert issue.
S r says
Does this break tanzu supervisors?