After you replace the machine SSL certificates, you can replace the VMCA-signed solution user certificates with third-party or enterprise certificates.
Solution users use certificates only to authenticate to vCenter Single Sign-On. If the certificate is valid, vCenter Single Sign-On assigns a SAML token to the solution user, and the solution user uses the SAML token to authenticate to other vCenter components.
Consider whether replacement of solution user certificates is necessary in your environment. Because solution users are located behind a proxy server and the machine SSL certificate is used to secure SSL traffic, the solution user certificates might be less of a security concern.
You replace the machine solution user certificate on each management node and on each
Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on
a management node with an external Platform Services Controller.
NOTE When you list solution user certificates in large deployments, the output of dir-cli list includes all
solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local
machine ID for each host. Each solution user name includes the machine ID.
Prerequisites
n Key size: 2048 bits or more (PEM encoded) n CRT format
n x509 version 3
n SubjectAltName must contain DNS Name=<machine_FQDN>
n Each solution user certificate must have a different Subject. Consider, for example, including the
solution user name (such as vpxd) or other unique identifier.
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Procedure
1 Stop all services and start the services that handle certificate creation, propagation, and storage.
service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmca
2 Find the name for each solution user.
dir-cli service list
You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows.
C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli service list Enter password for [email protected]:
1. machine-1d364500-4b45-11e4-96c2-020011c98db3 2. vpxd-1d364500-4b45-11e4-96c2-020011c98db3
3. vpxd-extension-1d364500-4b45-11e4-96c2-020011c98db3 4. vsphere-webclient-1d364500-4b45-11e4-96c2-020011c98db3
When you list solution user certificates in multi-node deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the
local machine ID for each host. Each solution user name includes the machine ID. 3 For each solution user, replace the existing certificate in VECS and then in vmdir.
You must add the certificates in that order.
vecs-cli entry delete --store vpxd --alias vpxd
vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv dir-cli service update --name <vpxd-xxxx-xxx-xxxxxx> --cert vpxd.crt
4 Restart all services.
service-control --start --all
Replace the VMware Directory Service Certificate
If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.
If you unpublish the VMCA root certificate, you must replace the SSL Signing Certificate that is used by vCenter Single Sign-On. See “Refresh the Security Token Service (STS) Root Certificate,” on page 36. You must also replace the VMware Directory Service (vmdir) certificate.
Prerequisites
Request a certificate for vmdir for your third-party or enterprise CA.
Procedure
1 Stop vmdir.
Linux service-control --stop vmdird
Windows service-control --stop VMWareDirectoryService
2 Copy the certificate and key that you just generated to the vmdir location.
Linux cp vmdir.crt /usr/lib/vmware-vmdir/share/config/vmdircert.pem
cp vmdir.priv /usr/lib/vmware-vmdir/share/config/vmdirkey.pem
Windows copy vmdir.crt
C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdircert.pem copy vmdir.priv
C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdirkey.pem
3 Restart vmdir from the vSphere Web Client or using the service-control command.
Linux service-control --start vmdird
Windows service-control --start VMWareDirectoryService
Replace the VMware Directory Service Certificate in Mixed Mode Environments
During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform Services Controller nodes that perform vCenter Single Sign-On replication
These steps are required only if:
n Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.0 services. n The vCenter Single Sign-On services are set up to replicate vmdir data.
n You plan to replace the default VMCA-signed certificates with custom certificates for the node on
which the vCenter Single Sign-On 6.0 service runs.
NOTE In most other cases, upgrading the complete environment before restarting the services is best
practice. Teplacing the VMware Directory Service certificate is not usually recommended.
Procedure
1 On the node on which the vCenter Single Sign-On 6.0 service runs, replace the vmdird SSL certificate and key.
See “Replace the VMware Directory Service Certificate,” on page 88.
2 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the vCenter Single Sign-On 6.0 service is known.
a Back up all files C:\ProgramData\VMware\CIS\cfg\vmdird.
b Make a copy of the vmdircert.pem file on the 6.0 node, and rename it to
<sso_node2.domain.com>.pem, where <sso_node2.domain.com> is the FQDN of the 6.0 node.
c Copy the renamed certificate to C:\ProgramData\VMware\CIS\cfg\vmdird to replace the existing
replication certificate.
3 Restart the VMware Directory Service on all machines where you replaced certificates.
You can restart the service from the vSphere Web Client or use the service-control command.