You generate new VMCA-signed certificates with the certool CLI or the vSphere Certificate Manager utility and publish the certificates to vmdir.
In a multi-node deployment, you run root certificate generation commands on the Platform Services Controller.
Procedure
Example: Generate a New VMCA-Signed Root Certificate
The following example shows all the steps for verifying the current root CA information, and for regenerating the root certificate.
- (Optional) List the VMCA root certificate to make sure it is in the certificate store.
- On a Platform Services Controller node or embedded installation:
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca
- On a management node (external installation):
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server=<psc-ip-or-fqdn>
The output looks similar to this:output: Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af ...
- On a Platform Services Controller node or embedded installation:
- (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.
This command works on both Platform Services Controller nodes and management nodes because VECS polls vmdir.
"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry list --store TRUSTED_ROOTS --text
In the simplest case with only one root certificate, the output looks like this:Number of entries in store : 1 Alias : 960d43f31eb95211ba3a2487ac840645a02894bd Entry type : Trusted Cert Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af
- Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --selfca --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg"
On Windows, --config is optional because the command uses the default certool.cfg file.