vDan

vCert is a powerful certificate management utility developed for VMware Cloud Foundation environments. It allows administrators to inspect, manage, and replace certificates across the vCenter Server infrastructure with minimal effort. This article walks you through the installation and usage of the vCert v6.0.0 tool.

---

🔧 Installation

To begin, download the vCert tool archive provided in the related article and upload it to your vCenter Server appliance. Once uploaded, execute the following commands to extract and run the tool:

# unzip -q vCert-6.0.0-20250218.zip
# cd vCert-6.0.0-20250218
# chmod +x vCert
# ./vCert.py

Running the Script

To display help options:

# ./vCert.py --help

Arguments available:

• --env ENVIRONMENT: Load environment config file
• --run OPERATION: Execute operation without menu
• --user USER: Provide SSO administrator username
• --password PASSWORD: Provide corresponding password

Once launched interactively, you’ll see a menu:

VCF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
 1. Check current certificate status
 2. View certificate info
 3. Manage certificates
 4. Manage SSL trust anchors
 5. Check configurations
 6. Reset all certificates with VMCA-signed certificates
 7. ESXi certificate operations
 8. Restart services
 9. Generate certificate report
 E. Exit

🗂 Logs and Files

• Logs: /var/log/vmware/vCert/vCert.log
• Temp/Backup files: /root/vCert-master/YYYYMMDD

Temporary files (except backups) are deleted on exit.

---

🧪 Menu Options Overview

1️⃣ Check Current Certificate Status

Performs a comprehensive health check:

• Expiry validation
• SAN (Subject Alternative Name) presence
• Key usage compliance
• CA validity and signature algorithm checks
• Solution User to Service Principal consistency

2️⃣ View Certificate Info

Displays readable info for:

• Machine SSL and Solution User certs
• CA certs (VECS & VMware Directory)
• STS, SMS, Smart Card, and LDAPS certs

3️⃣ Manage Certificates

Replace or modify certificates for:

• Machine SSL
• Solution Users
• STS Signing
• Smart Card CA
• LDAPS Identity Source
• VECS and VMware Directory CA stores
• vCenter Extensions & SMS

Supports PEM/DER, PKCS#7, and PKCS#12 formats.

💡 Certificate chains must be complete when importing custom CA-signed certificates.

4️⃣ Manage SSL Trust Anchors

• Validate trust anchors used by Lookup Services
• Update anchors across SSO domain nodes

5️⃣ Check Configurations

Includes:

• SSL interception detection
• STS store alignment (e.g., legacy vs. MACHINE_SSL_CERT)
• VECS store health and permission checks

6️⃣ Reset All Certificates

Resets:

• Machine SSL
• Solution User
• STS signing
  …all signed by the VMCA.

7️⃣ ESXi Certificate Operations

Manage ESXi host certificates:

• Validate trust alignment between vCenter and ESXi
• Check DB consistency
• Replace host certificates (rui.crt, rui.key, castore.pem)

🔁 Requires host service restart & vCenter re-connection.

8️⃣ Restart Services

Options:

• Restart all VMware services
• Restart specific service by name

9️⃣ Generate Certificate Report

Outputs a detailed report covering:

• VECS entries
• Service Principals
• STS entries
• Smart Card and LDAP certs
• Lookup Service SSL anchors

Saved under: /var/log/vmware/vCert

📌 Summary

The vCert 6.0.0 tool is an essential utility for environments where certificate lifecycle management is critical. Whether you’re replacing a Machine SSL cert, troubleshooting expired STS tokens, or ensuring trust between vCenter and ESXi hosts, vCert provides a safe and guided workflow.

Remember: always use with caution and ensure full system backups are in place before making change

Link for use Manage Certificates menu to check and replace the certificates.