During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform Services Controller nodes that perform vCenter Single Sign-On replication.
These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5 nodes. These steps are required only if:
Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services.
The vCenter Single Sign-On services are set up to replicate vmdir data.
You plan to replace the default VMCA-signed certificates with custom certificates for the node on which the vCenter Single Sign-On 6.x service runs.
Upgrading the complete environment before restarting the services is best practice. Replacing the VMware Directory Service certificate is not usually recommended.
- On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the vCenter Single Sign-On 6.x service is known.
- Back up all files C:\ProgramData\VMware\CIS\cfg\vmdird.
- Make a copy of the vmdircert.pem file on the 6.x node, and rename it to <sso_node2.domain.com>.pem, where <sso_node2.domain.com> is the FQDN of the 6.x node.
- Copy the renamed certificate to C:\ProgramData\VMware\CIS\cfg\vmdird to replace the existing replication certificate.
- Restart the VMware Directory Service on all machines where you replaced certificates.
You can restart the service from the vSphere Web Client or use the service-control command.