Certificate replacement in deployments that include multiple management nodes and one or more Platform Services Controller nodes is similar to replacement in embedded deployments. In both cases, you can use the vSphere Certificate Management utility or replace certificates manually. Some best practices guide the replacement process.
Certificate Replacement in High Availability Environments That Include a Load Balancer
In environments with less than eight vCenter Server systems, VMware typically recommends a single Platform Services Controller instance and associated vCenter Single Sign-On service. In larger environments, consider using multiple Platform Services Controller instances, protected by a network load balancer. The white paper vCenter Server 6.0 Deployment Guide on the VMware website discusses this setup.
Replacement of Machine SSL Certificates in Environments with Multiple Management Nodes
If your environment includes multiple management nodes and a single Platform Services Controller, you can replace certificates with the vSphere Certificate Manager utility, or manually with vSphere CLI commands.
- vSphere Certificate Manager
- You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.
- Manual Certificate Replacement
- For manual certificate replacement, you run the certificate replacement commands on each machine. On management nodes, you must specify the Platform Services Controller with the --server parameter. See the following topics for details:
Replacement of Solution User Certificates in Environments with Multiple Management Nodes
If your environment includes multiple management nodes and a single Platform Services Controller, follow these steps for certificate replacement.
- vSphere Certificate Manager
- You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.
- Manual Certificate Replacement
-
- Generate or request a certificate. You need the following certificates:
- A certificate for the machine solution user on the Platform Services Controller.
- A certificate for the machine solution user on each management node.
- A certificate for each of the following solution users on each management node:
vpxd solution
uservpxd-extension
solution uservsphere-webclient
solution user
- Replace the certificates on each node. The precise process depends on the type of certificate replacement that you are performing. See Managing Certificates with the vSphere Certificate Manager Utility
- Generate or request a certificate. You need the following certificates:
Certificate Replacement in Environments That Include External Solutions
Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication, are always installed on a different machine than the vCenter Server system or Platform Services Controller. If you replace the default machine SSL certificate on the vCenter Server system or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server system.
You can run the ls_update_certs script to resolve the issue. See VMware Knowledge Base article 2109074 for details.