The update planner, part of the vCenter Certificate Automation Tool, allows you to determine the correct order for certificate replacement. Follow the steps in the order that the tool recommends for best results.

Procedure

  1. Log into a machine on which the vCenter Certificate Automation Tool is installed.
  2. From a command line, navigate to the location to which you unzipped the tool and run the following command.

    ssl-updater.bat

  3. When prompted, select 1. Plan your steps to update SSL certificates.
  4. Enter the numbers that correspond to the services that you want to update.
    • To update more than one SSL certificate, separate the numbers with a comma. For example, to update the SSL certificates on vCenter Single Sign-On, vCenter Server, and the vSphere Web Client, type:1,3,4

    • To update the certificate on all services that are supported by the tool, type 8.

    The vSphere Web Client and the vCenter Log Browser always run on the same machine.

    Note:

    Enter all of the services you intend to update. If you leave out some services initially and run the Update Planner again later, the steps might be incorrect and the update might fail.

    The Update Planner displays the tasks to perform and the order to perform them in.

  5. Save the Update Planner output to a text file.

    Sample output for an environment where all certificates will be replaced is shown below.

    1. Go to the machine with Single Sign-On installed and 
    - Update the Single Sign-On SSL certificate.
    
    2. Go to the machine with Inventory Service installed and 
    - Update Inventory Service trust to Single Sign-On.
    
    3. Go to the machine with Inventory Service installed and 
    - Update the Inventory Service SSL certificate.
    
    4. Go to the machine with vCenter Server installed and 
    - Update vCenter Server trust to Single Sign-On.
    
    5. Go to the machine with vCenter Server installed and 
    - Update the vCenter Server SSL certificate.
    
    6. Go to the machine with vCenter Server installed and 
    - Update vCenter Server trust to Inventory Service.
    
    7. Go to the machine with Inventory Service installed and 
    - Update the Inventory Service trust to vCenter Server.
    
    8. Go to the machine with vCenter Orchestrator installed and 
    - Update vCenter Orchestrator trust to Single Sign-On.
    
    9. Go to the machine with vCenter Orchestrator installed and 
    - Update vCenter Orchestrator trust to vCenter Server.
    
    10. Go to the machine with vCenter Orchestrator installed and 
    - Update the vCenter Orchestrator SSL certificate.
    
    11. Go to the machine with vSphere Web Client installed and 
    - Update vSphere Web Client trust to Single Sign-On.
    
    12. Go to the machine with vSphere Web Client installed and 
    - Update vSphere Web Client trust to Inventory Service.
    
    13. Go to the machine with vSphere Web Client installed and 
    - Update vSphere Web Client trust to vCenter Server.
    
    14. Go to the machine with vSphere Web Client installed and 
    - Update the vSphere Web Client SSL certificate.
    
    15. Go to the machine with Log Browser installed and 
    - Update the Log Browser trust to Single Sign-On.
    
    16. Go to the machine with Log Browser installed and 
    - Update the Log Browser SSL certificate.
    
    17. Go to the machine with vSphere Update Manager installed and 
    - Update the vSphere Update Manager SSL certificate.
    
    18. Go to the machine with vSphere Update Manager installed and 
    - Update vSphere Update Manager trust to vCenter Server.
  6. Type 9 to return to the main menu.

What to do next

Update certificates and trusts. See Run the Tool to Update SSL Certificates and Trusts.