You generate new VMCA-signed certificates with the certool CLI or the vSphere Certificate Manager utility and publish the certificates to vmdir.
Procedure
Example: Generate a New VMCA-Signed Root Certificate
The following example shows all the steps for verifying the current root CA information, and for regenerating the root certificate.
- (Optional) On the vCenter Server, list the VMCA root certificate to make sure it is in the certificate store.
/usr/lib/vmware-vmca/bin/certool --getrootca
The output looks similar to this:output: Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af ...
- (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text
In the simplest case with only one root certificate, the output looks like this:Number of entries in store : 1 Alias : 960d43f31eb95211ba3a2487ac840645a02894bd Entry type : Trusted Cert Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af
- Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service).
/usr/lib/vmware-vmca/bin/certool --selfca --config=/usr/lib/vmware-vmca/share/config/certool.cfg