vCert is a powerful certificate management utility developed for VMware Cloud Foundation environments. It allows administrators to inspect, manage, and replace certificates across the vCenter Server infrastructure with minimal effort. This article walks you through the installation and usage of the vCert v6.0.0 tool.
🔧 Installation
To begin, download the vCert tool archive provided in the related article and upload it to your vCenter Server appliance. Once uploaded, execute the following commands to extract and run the tool:
# unzip -q vCert-6.0.0-20250218.zip
# cd vCert-6.0.0-20250218
# chmod +x vCert
# ./vCert.py
Running the Script
To display help options:
# ./vCert.py --help
Arguments available:
--env ENVIRONMENT: Load environment config file--run OPERATION: Execute operation without menu--user USER: Provide SSO administrator username--password PASSWORD: Provide corresponding password
Once launched interactively, you’ll see a menu:
VCF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
🗂 Logs and Files
- Logs:
/var/log/vmware/vCert/vCert.log - Temp/Backup files:
/root/vCert-master/YYYYMMDD
Temporary files (except backups) are deleted on exit.
🧪 Menu Options Overview
1️⃣ Check Current Certificate Status
Performs a comprehensive health check:
- Expiry validation
- SAN (Subject Alternative Name) presence
- Key usage compliance
- CA validity and signature algorithm checks
- Solution User to Service Principal consistency
2️⃣ View Certificate Info
Displays readable info for:
- Machine SSL and Solution User certs
- CA certs (VECS & VMware Directory)
- STS, SMS, Smart Card, and LDAPS certs
3️⃣ Manage Certificates
Replace or modify certificates for:
- Machine SSL
- Solution Users
- STS Signing
- Smart Card CA
- LDAPS Identity Source
- VECS and VMware Directory CA stores
- vCenter Extensions & SMS
Supports PEM/DER, PKCS#7, and PKCS#12 formats.
💡 Certificate chains must be complete when importing custom CA-signed certificates.
4️⃣ Manage SSL Trust Anchors
- Validate trust anchors used by Lookup Services
- Update anchors across SSO domain nodes
5️⃣ Check Configurations
Includes:
- SSL interception detection
- STS store alignment (e.g., legacy vs. MACHINE_SSL_CERT)
- VECS store health and permission checks
6️⃣ Reset All Certificates
Resets:
- Machine SSL
- Solution User
- STS signing
…all signed by the VMCA.
7️⃣ ESXi Certificate Operations
Manage ESXi host certificates:
- Validate trust alignment between vCenter and ESXi
- Check DB consistency
- Replace host certificates (
rui.crt,rui.key,castore.pem)
🔁 Requires host service restart & vCenter re-connection.
8️⃣ Restart Services
Options:
- Restart all VMware services
- Restart specific service by name
9️⃣ Generate Certificate Report
Outputs a detailed report covering:
- VECS entries
- Service Principals
- STS entries
- Smart Card and LDAP certs
- Lookup Service SSL anchors
Saved under: /var/log/vmware/vCert
📌 Summary
The vCert 6.0.0 tool is an essential utility for environments where certificate lifecycle management is critical. Whether you’re replacing a Machine SSL cert, troubleshooting expired STS tokens, or ensuring trust between vCenter and ESXi hosts, vCert provides a safe and guided workflow.
Remember: always use with caution and ensure full system backups are in place before making change
Link for use Manage Certificates menu to check and replace the certificates.
