【vCenter】使用vCert脚本替换vCenter过期证书
注意!任何更改都可能造成系统出现不可预见的故障,要知道 99%的故障都是人为的!快照是你唯一的救赎!一定要快照后再进行操作。
上传脚本
scp 上传到 vCenter 的任意目录推荐/root 或者/tmp
如果出现上述错误原因是当用于 root 帐户的默认 shell 从 bash 更改为 appliancesh 时,会出现此问题。
处理方法
此命令会将默认 shell 从 /bin/appliancesh 更改为 /bin/bash
chsh -s /bin/bash root用户可以连接到 WINSCP,而不会出现数据包过大错误 (too large packet error)。
要返回到 Appliance Shell,请运行以下命令:
chsh -s /bin/appliancesh root解压
# unzip -q vCert-6.0.1-20250516.zip
# cd vCert-6.0.1-20250516
# chmod +x vCert.py
# ./vCert.py
运行脚本
./vCert.py
同意风险 y
检查当前证书状态
通过另一个脚本来检查当前证书的过期日期
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
检查当前证书状态,菜单中没有特定选项回车退回上一层。
VCF/VVF证书管理实用程序(版本6.0.1)
-----------------------------------------------------------------
1. 检查当前证书状态
2. 查看证书信息
3. 管理证书
4. 管理SSL信任锚
5. 检查配置
6. 重置所有带有vmca签名的证书
7. ESXi证书操作
8. 重新启动服务
9. 生成证书报告
e .退出
选择一个选项[1]:
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:
Checking Certificate Status
-----------------------------------------------------------------
Checking Machine SSL certificate VALID
Checking Solution User certificates:
machine VALID
vsphere-webclient VALID
vpxd VALID
vpxd-extension VALID
hvc VALID
wcp VALID
Checking SMS self-signed certificate VALID
Checking SMS VMCA-signed certificate VALID
Checking data-encipherment certificate VALID
Checking Authentication Proxy certificate VALID
Checking Auto Deploy CA certificate VALID
Checking VMCA certificate VALID
Checking STS Signing Certs & Signing Chains
-----------------------------------------------------------------
Checking TenantCredential-1:
TenantCredential-1 signing certificate VALID
TenantCredential-1 CA certificate VALID
Checking TrustedCertChain-1:
TrustedCertChain-1 signing certificate VALID
TrustedCertChain-1 CA certificate VALID
Checking CA certificates in VMDir [by CN(id)]
-----------------------------------------------------------------
EAB0256952B91C9920F7FA1846F3AABA763BDA67 VALID
Checking CA certificates in VECS [by Alias]
-----------------------------------------------------------------
4bcd7d39afd7b87b4155e4ad190bf4abca5836d0 VALID
Checking VECS Stores
-----------------------------------------------------------------
Checking status and permissions for VECS stores:
MACHINE_SSL_CERT OK
TRUSTED_ROOTS OK
TRUSTED_ROOT_CRLS OK
machine OK
vsphere-webclient OK
vpxd OK
vpxd-extension OK
SMS OK
APPLMGMT_PASSWORD OK
data-encipherment OK
hvc PERMISSIONS
wcp OK
Checking Service Principals
-----------------------------------------------------------------
Node 4564308f-faf0-4bf6-a473-ad8e8c2ace1b:
machine PRESENT
vsphere-webclient PRESENT
vpxd PRESENT
vpxd-extension PRESENT
hvc PRESENT
wcp PRESENT
Checking Certificate Revocation Lists
-----------------------------------------------------------------
Number of CRLs in VECS 1
Checking SSL Trust Anchors
-----------------------------------------------------------------
10.0.0.251 VALID
Checking vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) MATCHES
com.vmware.vim.eam (vpxd-extension) MATCHES
com.vmware.vlcm.client (vpxd-extension) MATCHES
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) MATCHES
Checking VMCA Configurations in VCDB
-----------------------------------------------------------------
vpxd.certmgmt.certs.cn.country 'US'
vpxd.certmgmt.certs.cn.email 'vmca@vmware.com'
vpxd.certmgmt.certs.cn.localityName 'Palo Alto'
vpxd.certmgmt.certs.cn.organizationalUnitName 'VMware Engineering'
vpxd.certmgmt.certs.cn.organizationName 'VMware'
vpxd.certmgmt.certs.cn.state 'California'
vpxd.certmgmt.mode 'vmca'
Checking STS Server Configuration
-----------------------------------------------------------------
Checking VECS store configuration OK
Checking STS ConnectionStrings OK我当前的状态都是正常的。
查看证书信息
这里面就是查看各个组件的证书的详细信息。
查看vCenter证书
-----------------------------------------------------------------
1. 机器SSL证书
2. 解决方案用户证书
3. VMware目录下的CA证书
4. VECS中的CA证书
5. 短信证书
6. vCenter扩展指纹
7. STS签署证书
8. VMCA证书
9. 智能卡CA证书
10. LDAPS标识源证书
Certificate Information
-----------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:73:c0:39:bd:86:24:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = localhost, OU = VMware Engineering
Validity
Not Before: Mar 5 09:41:23 2025 GMT
Not After : Mar 5 21:41:23 2027 GMT
Subject: CN = 10.0.0.251, C = US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:b9:02:6a:05:81:33:36:65:0c:69:4c:96:3e:5f:
18:cb:0b:0b:f5:cc:e7:0f:7a:b6:d4:ea:e6:6b:55:
f3:78:39:ee:36:d6:b0:f2:53:5c:60:df:01:cd:28:
da:01:2e:2d:dc:b8:33:58:90:d5:23:17:64:24:e6:
06:23:1f:e7:b3:e7:bf:49:f4:82:f3:ae:bd:5f:ba:
e9:cc:fb:4b:83:6a:f2:20:b5:7b:8a:1b:bc:8f:80:
d8:37:0d:d8:69:db:89:3c:71:ef:f7:ec:69:1d:1e:
5e:df:08:42:25:e4:6e:1a:86:dc:be:1c:b0:2b:29:
d1:0f:51:d8:70:f5:96:e7:5a:10:7c:23:47:52:d5:
e8:b0:c3:f3:2f:39:c0:cd:ab:88:17:df:68:dd:0e:
de:80:da:91:85:c1:fc:8e:ec:03:dc:ad:45:ca:67:
97:fe:e4:d8:97:e2:93:33:67:d6:d0:5c:b9:d6:34:
e9:d7:6e:84:8b:57:fb:ef:b9:d2:bb:bb:b7:10:95:
a1:2a:4b:28:66:a9:4a:b5:d8:de:96:74:4c:00:72:
09:4b:51:2b:f2:7e:6e:b3:e6:a0:83:b6:ed:c2:51:
79:e1:f0:5a:07:20:fe:8f:8f:c3:f5:f8:c0:dc:b8:
eb:0c:83:64:19:0c:97:8e:9d:39:a9:b7:06:ee:52:
0e:c6:51:30:19:8f:f3:8a:e0:28:99:d8:df:2b:5e:
89:7f:22:2a:64:0e:8b:ea:f9:d3:e3:70:be:1a:f4:
e6:37:d4:ee:13:66:71:67:60:cc:be:08:dd:29:77:
ba:bc:57:49:16:2a:41:58:1f:f2:73:cd:64:57:13:
d1:d0:98:be:72:72:a5:75:35:11:53:5d:22:54:40:
b7:57:0d:03:61:21:08:c4:8e:d9:e5:1c:a8:b8:88:
87:cc:bf:ee:b3:12:f2:4d:32:c3:fc:7e:b3:fe:73:
07:2b:ed:2f:e9:59:5e:20:8c:4a:e0:19:47:68:bc:
7e:df:8d:91:92:e2:d9:3a:44:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:10.0.0.251
X509v3 Subject Key Identifier:
50:D7:95:D4:58:08:EA:79:7B:7A:D2:A6:F2:1A:CC:A1:F3:24:84:88
X509v3 Authority Key Identifier:
EA:B0:25:69:52:B9:1C:99:20:F7:FA:18:46:F3:AA:BA:76:3B:DA:67
Authority Information Access:
CA Issuers - URI:https://10.0.0.251/afd/vecs/ca
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5f:e7:6f:28:ee:70:ee:f8:dc:11:8d:1d:b9:70:6c:80:ea:e6:
ce:84:3a:0b:3c:ac:94:8d:c2:4e:7c:67:7d:0c:cb:6b:e2:56:
09:12:52:12:7a:9f:1d:23:82:48:da:9d:de:39:df:a0:4c:8e:
2b:10:43:a8:21:cf:0e:8c:1c:c1:70:19:cf:d9:c2:7e:ae:6c:
9c:59:23:ba:e8:d0:51:92:dd:b0:78:0c:62:82:25:90:e7:d3:
33:98:88:1f:32:c7:9c:88:ad:e0:0a:ec:17:45:a0:75:a9:ff:
63:26:ef:0e:fc:73:35:20:5e:fb:7e:9a:10:d4:35:2d:15:db:
dc:2c:a9:12:90:d6:75:e5:e7:04:c5:e3:75:0b:c9:bb:db:22:
af:62:cf:5f:8f:6d:14:f0:a0:ba:a4:9c:a6:06:72:63:8a:0c:
bd:e0:ad:56:23:9e:83:9d:97:94:6e:5b:d7:b6:1b:e3:b7:46:
61:27:1b:ac:49:03:ad:5a:ca:35:9d:39:4d:b9:96:e4:03:be:
ef:ed:a8:28:a5:05:84:e9:5c:ab:68:0d:71:7f:a3:06:c7:bc:
e2:44:de:d9:00:f3:e4:45:45:a7:f3:98:25:12:e0:33:3b:ed:
bd:32:43:62:b4:d3:9f:ce:88:00:60:3a:a3:35:3f:7a:1e:a9:
c9:12:4a:10:5a:63:3c:e4:6e:00:7f:00:aa:aa:f3:ae:0a:56:
fb:57:b8:df:38:7c:66:6b:33:5d:45:62:d5:1f:22:32:90:ab:
f7:65:b2:74:d5:33:13:14:df:97:14:60:e5:8b:c3:ae:44:9a:
3c:d9:46:95:30:14:a5:cb:09:c4:fd:fa:0f:91:6e:35:57:3e:
08:a8:71:f0:fc:a6:d0:be:f7:24:de:db:9e:90:79:9f:fb:ed:
05:70:ac:67:cc:0f:94:57:be:b8:0b:03:52:d0:f3:7c:0f:40:
2c:27:52:b5:b0:24:e5:41:8b:11:ad:43:22:48:59:d2:c6:79:
38:f4:16:b4:60:c6
SHA1 Fingerprint=0F:7E:2F:10:5F:78:F8:DA:FF:F2:61:4B:F9:BB:63:DD:BF:F8:D8:39
Certification Path
-----------------------------------------------------------------
[ + ] CA
|_[ + ] 10.0.0.251
管理证书
更新 SSL 证书
VCF/VVF Certificate Management Utility (version 6.0.1)
-----------------------------------------------------------------
1. Check current certificate status
2. View certificate info
3. Manage certificates
4. Manage SSL trust anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit
Select an option [1]: 3
Manage vCenter Certificates
-----------------------------------------------------------------
1. Machine SSL certificate
2. Solution User certificates
3. CA certificates in VMware Directory
4. CA certificates in VECS Directory
5. SMS certificates
6. vCenter Extension thumbprints
7. STS signing certificates
8. VMCA certificate
9. Smart Card CA certificates
10. LDAPS Identity Source certificates
11. Clear expired certificates in BACKUP_STORE in VECS
12. Clear TRUSTED_ROOT_CRLS store in VECS
13. Clear Machine SSL CSR in VECS
Select an option [Return to main menu]: 1
Select Machine SSL Certificate Replacement Method
-----------------------------------------------------------------
1. Replace Machine SSL certificate with a VMCA-signed certificate
2. Replace Machine SSL certificate with a custom CA-signed certificate
Select an option [Return to the previous menu]: 1
Please enter a Single Sign-On administrator account [administrator@vsphere.local]:
Please provide the password for administrator@vsphere.local:
Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):
Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration OK
Regenerate Machine SSL certificate OK
Backing up Machine SSL certificate and private key OK
Updating MACHINE_SSL_CERT certificate OK
Update SSL Trust Anchors (10.0.0.251)
-----------------------------------------------------------------
Updating service: 04398202-7575-4fe4-a3ac-89b1e92d0f3d
Updating service: 09afec3f-5ec4-4584-b606-d3392ca5acee
Updating service: 1c22ecb9-4ea7-4a3c-96ad-f4ab3786db4d
Updating service: 20344226-c091-4d2a-9820-ae8ed30e60c9
Updating service: 305a0004-b7e1-4ce3-aa85-1385b2e5bf49
Updating service: 3ae4111d-42a3-4131-84c1-eb4d25010b32
Updating service: 3f2119df-1f8b-4a4e-bb3b-31cff094b776
Updating service: 41ed9972-00cc-4a34-a281-2bb3082113c9
Updating service: 509d2980-cee5-44d5-bb26-e23f024c0ad3
Updating service: 61bec293-3123-4425-94a6-68d4db16ef38
Updating service: 647d48f8-2e56-49c1-96d0-c914aed1911a
Updating service: 64af1c93-95b8-4c75-afc8-59c0f62bad07
Updating service: 669e4a70-5405-4602-81f3-1a54bdf32126
Updating service: 669e4a70-5405-4602-81f3-1a54bdf32126_com.vmware.nsx.management.nsxt
Updating service: 669e4a70-5405-4602-81f3-1a54bdf32126_com.vmware.vsphere.client
Updating service: 6ca2358b-4415-4ce1-867d-893e2c4e122b
Updating service: 74c2f222-18b5-430a-b2ab-42582cd1988a
Updating service: 79b13beb-0f4a-47e1-a9cb-f73f64c089b2
Updating service: 8a508499-6bd3-46dd-ba99-8190879f1a06
Updating service: 8a6c12b4-2b4e-4666-8efe-01f215677728
Updating service: 8cc3c83d-4cc7-4ca0-a507-df21a74aba22
Updating service: 8dbca692-3b4c-4f27-ac9d-280fcb696d4c
Updating service: 8f88f519-98be-475d-a162-6cc57041518b
Updating service: 8f88f519-98be-475d-a162-6cc57041518b_authz
Updating service: 8f88f519-98be-475d-a162-6cc57041518b_kv
Updating service: 91222338-e995-41eb-a973-a5205bae5654
Updating service: 91f66b29-2960-47e9-b3a6-636b9064fc01
Updating service: 955c070b-b69c-417f-96df-b69c32d82c4a
Updating service: 96e8cbb2-9533-456c-aca0-06ed56ee2c6f
Updating service: Default-First-Site:536e2113-ad03-45f6-8a31-e386fbdfa8e9
Updating service: Default-First-Site:5586d13d-0b45-4956-a46f-036c7af4c6c3
Updating service: Default-First-Site:fef05387-28b7-4bdd-b6ed-774e457e6323
Updating service: a3735c21-f1c0-4175-864c-9943b99cf0a1
Updating service: ab7b06cd-f659-488c-b0f0-2163aaf28a33
Updating service: c4b28a61-e13a-4135-9d61-788b8ac0d57c
Updating service: cf7ed3ed-63f2-4e31-95bb-f84c01130eb6
Updating service: d018f51d-a7cb-44fc-88e0-be997776dcab
Updating service: d28c916d-f590-4d79-b5a4-8a434c1c324b
Updating service: f1ffe729-3ab4-4d81-b91a-8e38c9787121
Updating service: f3806ef1-9ec0-41f5-90cf-c85bfa38c3c0
Updating service: f4f584bf-8bfc-4ca2-9971-ea94b99ef57f
Updating service: f5ea13f6-7b9f-4739-9666-8e3ecb348309
Updating service: f749e6a1-dec3-4416-adce-6ae1da3b2884
Updating service: fbdbf1b8-19b7-48f9-a5f3-ecb8b0a795cb
Updating service: eb7cfdaa-ed72-44ce-b86d-dc0a6832f12b
Updated 45 service(s)
Update vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension) MATCHES
com.vmware.vim.eam (vpxd-extension) MATCHES
com.vmware.vlcm.client (vpxd-extension) MATCHES
com.vmware.vmcam (Authentication Proxy) MATCHES
com.vmware.vsan.health (Machine SSL) UPDATED
Restart VMware services [N]: Y
单独更新 SSL 证书完成。其他的证书以此类推即可。