VMware vCenter/vCSAの証明書についての備忘録
vCenterが内部で使っている証明書には期限があるので注意しましょう
(参考サイト)
Determining expired SSL certificates in vCenter Server and ESXi 6.x, 7.0, and 8.0
[確認コマンド](vCenter&vCSA6.x/7.0/8.0)
https://knowledge.broadcom.com/external/article?legacyId=2015600
vCenter Server で期限切れのデータ暗号化証明書を置き換える方法[fix_encipherment_cert.sh](vCSA6.7/7.0/8.0)
https://knowledge.broadcom.com/external/article/324602/vcenter-server.html
https://knowledge.broadcom.com/external/article/312152
Checking Expiration of STS Certificate on vCenter Servers
[checksts.py](vCSA6.5/6.7/7.0/8.0)
https://knowledge.broadcom.com/external/article?legacyId=79248
vCert – Scripted vCenter Expired Certificate Replacement
[vCert-6.0.0-20250218.zip](vCSA7.0/8.0)
https://knowledge.broadcom.com/external/article/385107
Replace certificates on vCenter server using the Fixcerts script
[fixcerts_3_2.py](vCSA6.5?/6.7/7.0/8.0)
https://knowledge.broadcom.com/external/article?legacyId=90561
vCenter Server 証明書有効期限一覧
https://ss-engineer.com/certificate-expiration/
vCSAでの証明書期限確認(コマンド)
login as: root
Pre-authentication banner message from server:
|
| VMware vCenter Server Appliance 6.7.0.57000
|
| Type: vCenter Server with an embedded Platform Services Controller
|
End of banner message from server
root@192.168.29.239’s password:
root@VMVC02 [ ~ ]#
root@VMVC02 [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : TRUSTED_ROOTS
Alias : c8dd07a7f9cfbc4bea5701c8bddb60725967097e
Not After : Oct 17 12:40:28 2032 GMT
Alias : 6ba8680640749e80b8a22b6310e84b02138ae3b6
Not After : Oct 17 05:41:28 2032 GMT
Alias : 0144e02afc00c5c248de17cd12e1cb73f724b486
Not After : Oct 17 12:40:28 2032 GMT
Alias : 9d5b6377daad48bd8a288521f6105eae4bb005ae
Not After : Oct 21 05:50:21 2034 GMT
Alias : 210ef2ef8e060395d6ce4a966faf6c1cc5975928
Not After : Oct 21 06:11:24 2034 GMT
Alias : 19ddd27358ea587355e7c6a81efb4e45f5d0d8fe
Not After : Oct 21 06:32:51 2034 GMT
Alias : 02c04eb51e909e7bd990c751b913a8ccc63fb1cb
Not After : Oct 21 06:41:11 2034 GMT
Alias : 44aad666b55fd595592db0e45ca4866f6aa1c912
Not After : Oct 21 07:07:45 2034 GMT
Alias : a18db13a69140b00e602b07f558c00a552c509b3
Not After : Oct 21 07:14:57 2034 GMT
Alias : 37f01cccfe06c5a9862d9ae813644a00af3149bd
Not After : Oct 21 07:52:09 2034 GMT
Alias : 18bcf7ed18b8aba1ede7725ff5545142a3bcad71
Not After : Oct 21 09:26:28 2034 GMT
[*] Store : machine
Alias : machine
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vpxd Alias : vpxd
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : SMS Alias : sms_self_signed
Not After : Oct 23 12:48:54 2032 GMT [] Store : STS_INTERNAL_SSL_CERT
Alias : __MACHINE_CERT
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : data-encipherment
Alias : data-encipherment
Not After : Oct 22 13:38:20 2024 GMT
root@VMVC02 [ ~ ]#
vCSAで期限切れのデータ暗号化証明書を置き換える方法[fix_encipherment_cert.sh]
login as: root
Pre-authentication banner message from server:
|
| VMware vCenter Server Appliance 6.7.0.57000
|
| Type: vCenter Server with an embedded Platform Services Controller
|
End of banner message from server
root@192.168.29.239’s password:
Last login: Tue Apr 29 14:50:00 2025 from 192.168.29.88
root@VMVC02 [ ~ ]# ls
cert
root@VMVC02 [ ~ ]# cd cert/
root@VMVC02 [ ~/cert ]# ls
0685G00000of3ouQAA_fix_encipherment_cert.sh vCert-6.0.0-20250218.zip
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]# chmod +x 0685G00000of3ouQAA_fix_encipherment_cert.sh
root@VMVC02 [ ~/cert ]# ./0685G00000of3ouQAA_fix_encipherment_cert.sh
Replacing Certificate in data-encipherment VECS Store
Detected PNID: VMVC02.nsb.homeip.net
Detected PSC: VMVC02.nsb.homeip.net
Taking backup of old certificate and private key to /tmp directory
Deleting the existing certificate from the VECS store
Deleted entry with alias [data-encipherment] in store [data-encipherment] successfully
Generating new certificate using the existing private key and add to the VECS store
Status : Success
Listing the new certificate in VECS Store
Alias : data-encipherment
Serial Number:
Not Before: Apr 29 06:02:01 2025 GMT
Not After : Apr 29 06:02:01 2027 GMT
Subject: CN=data-encipherment, DC=vsphere, DC=local, C=US, OU=mID-c9b2f80b-349e-4eb9-9340-482e26305710
**********************************************************************************
Completed the script execution, please follow the manual steps in case the script fails to replace the Certificate
VPXD Service needs to be restarted for the changes to take effect, otherwise Guest OS Customizations might fail
Please execute following command to restart the service:
service-control –stop vpxd && service-control –start vpxd
**********************************************************************************
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]# service-control –stop vpxd
Operation not cancellable. Please wait for it to finish…
Performing stop operation on service vpxd…
Successfully stopped service vpxd
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]# /usr/sbin/vpxd -g
/usr/lib/vmware-vpx/vpxd: invalid option — ‘g’
Usage: /usr/lib/vmware-vpx/vpxd [FLAGS]
Flags:
-b Recreate database repository
-v Print the version number to stdout
-p Reset the database password
-f cfg Use the specified file instead of the default vpxd.cfg
-o newSchemaOwner Use the specified schema name to create database repository in SQL server
-C install new SSL certificate file
-F Force Full Host Sync for all hosts
-K install new SSL private key file
-Q install new Symmetric encryption keygen data file
root@VMVC02 [ ~/cert ]# /usr/sbin/vpxd -v
VMware VirtualCenter 6.7.0 build-24264277
root@VMVC02 [ ~/cert ]# service-control –start vpxd
Operation not cancellable. Please wait for it to finish…
Performing start operation on service vpxd…
Successfully started service vpxd
実行後確認[コマンド]
root@VMVC02 [ ~/cert ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : TRUSTED_ROOTS
Alias : c8dd07a7f9cfbc4bea5701c8bddb60725967097e
Not After : Oct 17 12:40:28 2032 GMT
Alias : 6ba8680640749e80b8a22b6310e84b02138ae3b6
Not After : Oct 17 05:41:28 2032 GMT
Alias : 0144e02afc00c5c248de17cd12e1cb73f724b486
Not After : Oct 17 12:40:28 2032 GMT
Alias : 9d5b6377daad48bd8a288521f6105eae4bb005ae
Not After : Oct 21 05:50:21 2034 GMT
Alias : 210ef2ef8e060395d6ce4a966faf6c1cc5975928
Not After : Oct 21 06:11:24 2034 GMT
Alias : 19ddd27358ea587355e7c6a81efb4e45f5d0d8fe
Not After : Oct 21 06:32:51 2034 GMT
Alias : 02c04eb51e909e7bd990c751b913a8ccc63fb1cb
Not After : Oct 21 06:41:11 2034 GMT
Alias : 44aad666b55fd595592db0e45ca4866f6aa1c912
Not After : Oct 21 07:07:45 2034 GMT
Alias : a18db13a69140b00e602b07f558c00a552c509b3
Not After : Oct 21 07:14:57 2034 GMT
Alias : 37f01cccfe06c5a9862d9ae813644a00af3149bd
Not After : Oct 21 07:52:09 2034 GMT
Alias : 18bcf7ed18b8aba1ede7725ff5545142a3bcad71
Not After : Oct 21 09:26:28 2034 GMT
[*] Store : machine
Alias : machine
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vpxd
Alias : vpxd
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : SMS
Alias : sms_self_signed
Not After : Oct 23 12:48:54 2032 GMT
[*] Store : STS_INTERNAL_SSL_CERT
Alias : __MACHINE_CERT
Not After : Oct 17 12:40:28 2032 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : data-encipherment
Alias : data-encipherment
Not After : Apr 29 06:02:01 2027 GMT
root@VMVC02 [ ~/cert ]#
STS証明書の確認コマンド[checksts.py]
root@VMVC02 [ ~ ]# cd cert/
fix_encipherment_cert.sh vCert-6.0.0-20250218.zip
root@VMVC02 [ ~/cert ]# ls -al
total 204
drwxr-xr-x 3 root root 4096 Apr 29 16:40 .
drwx—— 5 root root 4096 Apr 29 14:58 ..
-rw-r–r– 1 root root 8042 Apr 29 16:38 checksts.py
-rwxr-xr-x 1 root root 2225 Apr 29 14:57 fix_encipherment_cert.sh
drwxr-xr-x 5 root root 4096 Feb 19 03:11 vCert-6.0.0-20250218
-rw-r–r– 1 root root 183601 Apr 29 14:44 vCert-6.0.0-20250218.zip
root@VMVC02 [ ~/cert ]# chmod +x checksts.py
root@VMVC02 [ ~/cert ]# ./checksts.py
3 VALID CERTS
LEAF CERTS: [] Certificate 3B:C3:CE:D0:C1:A5:BF:BF:42:48:2F:05:DF:3B:3E:7F:FD:A3:96: 4F will expire in 2728 days (7 years). ROOT CERTS: [] Certificate 6B:A8:68:06:40:74:9E:80:B8:A2:2B:63:10:E8:4B:02:13:8A:E3: B6 will expire in 2728 days (7 years). [] Certificate C8:DD:07:A7:F9:CF:BC:4B:EA:57:01:C8:BD:DB:60:72:59:67:09: 7E will expire in 2728 days (7 years).
1 EXPIRED CERTS
LEAF CERTS: [] Certificate: E6:28:BE:51:07:BE:C9:38:FE:FE:09:D8:53:99:3A:ED:3B:3B:AC :F9 expired on 2024-10-22 05:31:39 GMT! ROOT CERTS: None WARNING! You have expired STS certificates. Please follow the KB corresponding to yo ur OS: VCSA: https://kb.vmware.com/s/article/76719 Windows: https://kb.vmware.com/s/article/79263
root@VMVC02 [ ~/cert ]#
root@VMVC02 [ ~/cert ]#
証明書確認&期限切れのもののみ更新[fixcerts_3_2.py]
root@VMVC02 [ ~/cert ]# ./fixcerts_3_2.py replace –certType expired_only
Please enter the password for administrator@vsphere.local to proceed further :
Validity of Certificates:
+———————–+———————-+
| CertificateType | Validity(UTC) |
+———————–+———————-+
| MACHINE_SSL_CERT | Oct 17 12:40:28 2032 |
| machine | Oct 17 12:40:28 2032 |
| vsphere-webclient | Oct 17 12:40:28 2032 |
| vpxd | Oct 17 12:40:28 2032 |
| vpxd-extension | Oct 17 12:40:28 2032 |
| SMS | Oct 23 12:48:54 2032 |
| STS_INTERNAL_SSL_CERT | Oct 17 12:40:28 2032 |
| data-encipherment | Apr 29 06:02:01 2027 |
| Signing Cert (STS) | Oct 17 12:40:28 2032 |
+———————–+———————-+
+——————————————+———————-+——–+
| TRUSTED_ROOTS_Alias | Validity(UTC) | Type |
+——————————————+———————-+——–+
| c8dd07a7f9cfbc4bea5701c8bddb60725967097e | Oct 17 12:40:28 2032 | CA |
| 6ba8680640749e80b8a22b6310e84b02138ae3b6 | Oct 17 05:41:28 2032 | CA |
| 0144e02afc00c5c248de17cd12e1cb73f724b486 | Oct 17 12:40:28 2032 | Non-CA |
| 9d5b6377daad48bd8a288521f6105eae4bb005ae | Oct 21 05:50:21 2034 | CA |
| 210ef2ef8e060395d6ce4a966faf6c1cc5975928 | Oct 21 06:11:24 2034 | CA |
| 19ddd27358ea587355e7c6a81efb4e45f5d0d8fe | Oct 21 06:32:51 2034 | CA |
| 02c04eb51e909e7bd990c751b913a8ccc63fb1cb | Oct 21 06:41:11 2034 | CA |
| 44aad666b55fd595592db0e45ca4866f6aa1c912 | Oct 21 07:07:45 2034 | CA |
| a18db13a69140b00e602b07f558c00a552c509b3 | Oct 21 07:14:57 2034 | CA |
| 37f01cccfe06c5a9862d9ae813644a00af3149bd | Oct 21 07:52:09 2034 | CA |
| 18bcf7ed18b8aba1ede7725ff5545142a3bcad71 | Oct 21 09:26:28 2034 | CA |
+——————————————+———————-+——–+
There are NO EXPIRED CERTIFICATES on this vCenter Server, hence DID NOT replace any Certificates.
If you still want to replace the certificates, use any other arguments such as –certType all
root@VMVC02 [ ~/cert ]#
次の更新は。2027/4/29頃にSTS証明書の更新が必要そうです。
