After you replace the machine SSL certificates, you can replace all solution user certificates. Solution user certificates must be valid, that is, not expired, but none of the other information in the certificate is used by the certificate infrastructure.

Many VMware customers do not replace solution user certificates. They replace only the machine SSL certificates with custom certificates. This hybrid approach satisfies the requirements of their security teams.
  • Certificates either sit behind a proxy, or they are custom certificates.
  • No intermediate CAs are used.

You replace the machine solution user certificate and the solution user certificate on each vCenter Server system.

Note: When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

Prerequisites

Be prepared to stop all services and to start the services that handle certificate propagation and storage.

Procedure

  1. Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and rename the file, for example, to sol_usr.cfg.
    You can name the certificates from the command line as part of generation. The other information is not needed for solution users. If you leave the default information, the certificates that are generated are potentially confusing.
  2. Generate a public/private key file pair and a certificate for each solution user, passing in the configuration file that you just customized.
    For example:
    certool --genkey --privkey=vpxd.priv --pubkey=vpxd.pub 
    certool --gencert --privkey=vpxd.priv --cert vpxd.crt --Name=VPXD_1 --config sol_usr.cfg
  3. Find the name for each solution user.
    dir-cli service list 
    
    You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows.
    dir-cli service list
    Enter password for administrator@vsphere.local:
    1. machine-623bef28-0311-436e-b21f-6e0d39aa5179
    2. vsphere-webclient-623bef28-0311-436e-b21f-6e0d39aa5179
    3. vpxd-623bef28-0311-436e-b21f-6e0d39aa5179
    4. vpxd-extension-623bef28-0311-436e-b21f-6e0d39aa5179
    5. hvc-623bef28-0311-436e-b21f-6e0d39aa5179
    6. wcp-1cbe0a40-e4ce-4378-b5e7-9460e2b8200e
    In a deployment of multiple vCenter Server instances connected in Enhanced Linked Mode configuration, the output of dir-cli service list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.
  4. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
    
  5. For each solution user, replace the existing certificate in vmdir and then in VECS.
    The following example shows how to replace the certificates for the vpxd service.
    dir-cli service update --name <vpxd-xxxx-xxx-7c7b769cd9f4> --cert ./vpxd.crt
    vecs-cli entry delete --store vpxd --alias vpxd
    vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv
    
    
    Note: Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the certificate in vmdir.
  6. Restart all services.
    service-control --start --all
    

Example: Using VMCA-Signed Solution User Certificates

  1. Generate a public/private key pair for each solution user on each vCenter Server node in an Enhanced Linked Mode configuration. That includes a pair for the machine solution and a pair for each additional solution user (vpxd, vpxd-extension, vsphere-webclient, wcp).
    1. Generate a key pair for the machine solution user.
      /usr/lib/vmware-vmca/bin/certool --genkey --privkey=machine-key.priv --pubkey=machine-key.pub
      
    2. Generate a key pair for the vpxd solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --genkey --privkey=vpxd-key.priv --pubkey=vpxd-key.pub
    3. Generate a key pair for the vpxd-extension solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --genkey --privkey=vpxd-extension-key.priv --pubkey=vpxd-extension-key.pub
    4. Generate a key pair for the vsphere-webclient solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --genkey --privkey=vsphere-webclient-key.priv --pubkey=vsphere-webclient-key.pub
    5. Generate a key pair for the wcp solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --genkey --privkey=wcp-key.priv --pubkey=wcp-key.pub
  2. Generate solution user certificates that are signed by the new VMCA root certificate for the machine solution user and for each additional solution user (vpxd, vpxd-extension, vsphere-webclient, wcp) on each vCenter Server node.
    Note: The --Name parameter has to be unique. Including the name of the solution user store name makes it easy to see which certificate maps to which solution user. The example includes the name, for example vpxd or vpxd-extension in each case.
    1. Run the following command to generate a solution user certificate for the machine solution user on that node.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-machine.crt --privkey=machine-key.priv --Name=machine 
      
    2. Generate a certificate for the machine solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-machine.crt --privkey=machine-key.priv --Name=machine
    3. Generate a certificate for the vpxd solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vpxd.crt --privkey=vpxd-key.priv --Name=vpxd
      
    4. Generate a certificate for the vpxd-extensions solution user on each node.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vpxd-extension.crt --privkey=vpxd-extension-key.priv --Name=vpxd-extension
    5. Generate a certificate for the vsphere-webclient solution user on each node by running the following command.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vsphere-webclient.crt --privkey=vsphere-webclient-key.priv --Name=vsphere-webclient
    6. Generate a certificate for the wcp solution user on each node by running the following commands.
      /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-wcp.crt --privkey=wcp-key.priv --Name=wcp
  3. Replace the solution user certificates in VECS with the new solution user certificates.
    Note: The --store and --alias parameters have to exactly match the default names for services.
    1. Replace the machine solution user certificate on each node:
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store machine --alias machine
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store machine --alias machine --cert new-machine-vc.crt --key machine-vc-key.priv
      
    2. Replace the vpxd solution user certificate on each node.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store vpxd --alias vpxd
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store vpxd --alias vpxd --cert new-vpxd.crt --key vpxd-key.priv
      
    3. Replace the vpxd-extension solution user certificate on each node.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store vpxd-extension --alias vpxd-extension
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store vpxd-extension --alias vpxd-extension --cert new-vpxd-extension.crt --key vpxd-extension-key.priv
      
    4. Replace the vsphere-webclient solution user certificate on each node.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store vsphere-webclient --alias vsphere-webclient
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store vsphere-webclient --alias vsphere-webclient --cert new-vsphere-webclient.crt --key vsphere-webclient-key.priv
      
    5. Replace the wcp solution user certificate on each node.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store wcp --alias wcp
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store wcp --alias wcp --cert new-wcp.crt --key wcp-key.priv
      
  4. Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted for a vCenter Single Sign-On administrator password.
    1. Run dir-cli service list to get the unique service ID suffix for each solution user. You run this command on a vCenter Server system.
      /usr/lib/vmware-vmafd/bin/dir-cli service list
      output:
      1. machine-623bef28-0311-436e-b21f-6e0d39aa5179
      2. vsphere-webclient-623bef28-0311-436e-b21f-6e0d39aa5179
      3. vpxd-623bef28-0311-436e-b21f-6e0d39aa5179
      4. vpxd-extension-623bef28-0311-436e-b21f-6e0d39aa5179
      5. hvc-623bef28-0311-436e-b21f-6e0d39aa5179
      6. wcp-1cbe0a40-e4ce-4378-b5e7-9460e2b8200e
      Note: When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.
    2. Replace the machine certificate in vmdir on each vCenter Server node. For example, if machine-6fd7f140-60a9-11e4-9e28-005056895a69 is the machine solution user on the vCenter Server, run this command:
      /usr/lib/vmware-vmafd/bin/dir-cli service update --name machine-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-machine-2.crt
    3. Replace the vpxd solution user certificate in vmdir on each node. For example, if vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd solution user ID, run this command:
      /usr/lib/vmware-vmafd/bin/dir-cli service update --name vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd.crt
    4. Replace the vpxd-extension solution user certificate in vmdir on each node. For example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension solution user ID, run this command:
      /usr/lib/vmware-vmafd/bin/dir-cli update --name vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd-extension.crt
      
    5. Replace the vsphere-webclient solution user certificate on each node. For example, if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution user ID, run this command:
      /usr/lib/vmware-vmafd/bin/dir-cli service update --name vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vsphere-webclient.crt
      
    6. Replace the wcp solution user certificate on each node. For example, if wcp-1cbe0a40-e4ce-4378-b5e7-9460e2b8200e is the wcp solution user ID, run this command:
      /usr/lib/vmware-vmafd/bin/dir-cli service update --name wcp-1cbe0a40-e4ce-4378-b5e7-9460e2b8200e --cert new-wcp.crt
      

What to do next

Restart all services on each vCenter Server node.