VMUG Connect 2025 – Minimal VMware Cloud…

VMUG Connect 2025 – Minimal VMware Cloud…

I had a great time attending the inaugural VMUG Connect 2025 in St. Louis this past April. Like many others, the event was a great way to connect and share our passion for VMware technologies with both new and familiar faces from our community. Here are a few great write-ups from attendees of […]


Broadcom Social Media Advocacy

Installing and Using the vCert Tool

vCert is a powerful certificate management utility developed for VMware Cloud Foundation environments. It allows administrators to inspect, manage, and replace certificates across the vCenter Server infrastructure with minimal effort. This article walks you through the installation and usage of the vCert v6.0.0 tool.


🔧 Installation

To begin, download the vCert tool archive provided in the related article and upload it to your vCenter Server appliance. Once uploaded, execute the following commands to extract and run the tool:

# unzip -q vCert-6.0.0-20250218.zip
# cd vCert-6.0.0-20250218
# chmod +x vCert
# ./vCert.py

Running the Script

To display help options:

# ./vCert.py --help

Arguments available:

  • --env ENVIRONMENT: Load environment config file
  • --run OPERATION: Execute operation without menu
  • --user USER: Provide SSO administrator username
  • --password PASSWORD: Provide corresponding password

Once launched interactively, you’ll see a menu:

VCF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit

🗂 Logs and Files

  • Logs: /var/log/vmware/vCert/vCert.log
  • Temp/Backup files: /root/vCert-master/YYYYMMDD

Temporary files (except backups) are deleted on exit.


🧪 Menu Options Overview

1️⃣ Check Current Certificate Status

Performs a comprehensive health check:

  • Expiry validation
  • SAN (Subject Alternative Name) presence
  • Key usage compliance
  • CA validity and signature algorithm checks
  • Solution User to Service Principal consistency

2️⃣ View Certificate Info

Displays readable info for:

  • Machine SSL and Solution User certs
  • CA certs (VECS & VMware Directory)
  • STS, SMS, Smart Card, and LDAPS certs

3️⃣ Manage Certificates

Replace or modify certificates for:

  • Machine SSL
  • Solution Users
  • STS Signing
  • Smart Card CA
  • LDAPS Identity Source
  • VECS and VMware Directory CA stores
  • vCenter Extensions & SMS

Supports PEM/DER, PKCS#7, and PKCS#12 formats.

💡 Certificate chains must be complete when importing custom CA-signed certificates.

4️⃣ Manage SSL Trust Anchors

  • Validate trust anchors used by Lookup Services
  • Update anchors across SSO domain nodes

5️⃣ Check Configurations

Includes:

  • SSL interception detection
  • STS store alignment (e.g., legacy vs. MACHINE_SSL_CERT)
  • VECS store health and permission checks

6️⃣ Reset All Certificates

Resets:

  • Machine SSL
  • Solution User
  • STS signing
    …all signed by the VMCA.

7️⃣ ESXi Certificate Operations

Manage ESXi host certificates:

  • Validate trust alignment between vCenter and ESXi
  • Check DB consistency
  • Replace host certificates (rui.crt, rui.key, castore.pem)

🔁 Requires host service restart & vCenter re-connection.

8️⃣ Restart Services

Options:

  • Restart all VMware services
  • Restart specific service by name

9️⃣ Generate Certificate Report

Outputs a detailed report covering:

  • VECS entries
  • Service Principals
  • STS entries
  • Smart Card and LDAP certs
  • Lookup Service SSL anchors

Saved under: /var/log/vmware/vCert

📌 Summary

The vCert 6.0.0 tool is an essential utility for environments where certificate lifecycle management is critical. Whether you’re replacing a Machine SSL cert, troubleshooting expired STS tokens, or ensuring trust between vCenter and ESXi hosts, vCert provides a safe and guided workflow.

Remember: always use with caution and ensure full system backups are in place before making change

Link for use Manage Certificates menu to check and replace the certificates.

vCenter Server Identity Federation with Zitadel

vCenter Server Identity Federation with Zitadel

Not sure when it happened, but I have been binging self-hosted identity providers like Netflix shows, this season features Authentik, KeyCloak, Synology SSO and Pocket ID. To add to my collection, I was recently asked whether Zitadel could also work as an identity provider with vCenter Server […]


Broadcom Social Media Advocacy

Supported chipsets for the USB Network Native…

Supported chipsets for the USB Network Native…

A longtime community favorite, the USB Network Native Driver for ESXi Fling makes it super easy for users to expand additional networking capabilities for ESXi-x86. While helping a customer recently, I realized that we did not have a published list of supported USB Network adaptors (VID/DID) […]


Broadcom Social Media Advocacy