After you replace the machine SSL certificates, you can replace the VMCA-signed solution user certificates with third-party or enterprise certificates.

Before you begin

  • Key size: 2048 bits or more (PEM encoded)

  • CRT format

  • x509 version 3

  • SubjectAltName must contain DNS Name=<machine_FQDN>

  • Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.

  • Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

About this task

Solution users use certificates only to authenticate to vCenter Single Sign-On. If the certificate is valid, vCenter Single Sign-On assigns a SAML token to the solution user, and the solution user uses the SAML token to authenticate to other vCenter components.

Consider whether replacement of solution user certificates is necessary in your environment. Because solution users are located behind a proxy server and the machine SSL certificate is used to secure SSL traffic, the solution user certificates might be less of a security concern.

You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.

Note:

When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

Procedure

  1. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmca
    
  2. Find the name for each solution user.
    dir-cli service list 
    

    You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows.

    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli service list
    Enter password for administrator@vsphere.local:
    1. machine-1d364500-4b45-11e4-96c2-020011c98db3
    2. vpxd-1d364500-4b45-11e4-96c2-020011c98db3
    3. vpxd-extension-1d364500-4b45-11e4-96c2-020011c98db3
    4. vsphere-webclient-1d364500-4b45-11e4-96c2-020011c98db3

    When you list solution user certificates in multi-node deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

  3. For each solution user, replace the existing certificate in VECS and then in vmdir.

    You must add the certificates in that order.

    vecs-cli entry delete --store vpxd --alias vpxd
    vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv
    dir-cli service update --name <vpxd-xxxx-xxx-xxxxxx> --cert vpxd.crt
    
    Note:

    Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the certificate in vmdir.

  4. Restart all services.
    service-control --start --all