Hi all,
We are running vmware 6.5 and pretty much all of the certificates are due to expire over the next few weeks and the person that has set everything up has now left so I cannot ask how this was set up.
So far I have gone through the following on our sandpit environment,
On the PSC server
Use certificate-manager menu option 2 to generate a new cert request.
Run the request through the ca server.
Import the new cert to the PSC server.
From the PSC web gui log into certificate management for the PSC and renew the __MACHINE_CERT, machine and vpshere-webclient certs.
Log out certificate management.
Log certificate management into the vcenter appliance.
Use the GUI to renew __MACHINE_CERT, machine and vsphere-webclient, vpxd and vpxd-extension certs.
I have also updated /etc/applmgmt/appliance/new.cert and the config and restarted lighthttp.
At this point everything looks to be OK most of the websites have the full cert chain if you view the certificates. For some reason the vcenter appliance website cert does not display the chain. If I download the certs from the login page and install them then this fixes the chain. Should I have to do this on every machine that logs in or should the chain be included as it is on the PSC webpage login.
Also on our production system if you log certificate management into a vcenter appliance and view the solution user certs you can see the chains but these are not showing on the sandpit. This leads me to think I have missed loading a chain somewhere but cannot see it missing from anywhere.
This is how the cert appears in the production SPC certificate manager.
And this is how it looks on the sandpit SPC certificate manager.
Can anyone advise what I might of missed out ?