How to Solve vSphere vCenter Certificate Expired Cannot Login
If your vSphere vCenter Certificate is about to expire or already expired, you may want to renew it for further use. This article will show you the steps of how to find out the expiration dates of vCenter Certificate and how to renew vCenter Certificate.
Case: vSphere SSL vCenter Certificate expired cannot login?
Hi, I am new on vSphere certificates and I am looking for some help. I have vSphere 7.0, and the current Machine SSL Certificate has been working for the last 2 years, but it’s about to expire and I cannot login.
I tried to renew it from vSphere, but I got an error saying it is an invalid input certificate. It was configured by default and I don’t know what else I can do to fix this issue. Any help would be appreciated.
- Question from community.spiceworks.com
As you may know, vSphere provides security by using certificates to encrypt communications between two nodes, such as a vCenter Server and an ESXi host, authenticate vSphere services, and perform internal actions such as signing tokens.
However, vSphere vCenter Certificate has an expiration time. An expired certificate may cause vCenter inaccessible and lead to other communication problems with vCenter Server. VMware recommends replacing the certificate if it is set to expire with 6 months.
If you are also experiencing the same problem with the case above, your vCenter Certificate expired cannot login, or you are just concerned that your vCenter Appliance 6.5 certificate expired, this article will show you how to find certificate expiration dates and how to renew vCenter certificate.
How to find vSphere vCenter Certificate expiration dates
An expired certificate may cause vCenter to be inaccessible when connecting from a browser. If the expiry date will occur in more than 6 months, you will need to schedule the certificate replacement at the appropriate time.
To determine when your vSphere Certificates need to be renewed, you may want to find their expiration dates in advance, for example, when would your vCenter Appliance 6.5 certificate expired. Here are the specific steps.
1. Access and log in vSphere web client, Navigate to Menu > Administration.
2. Click Certificates > Certificate Management from the left inventory, and login to the local host using an Administrator account.
3. Then you can see the certificates and their expiration information.
Note:
1. VMware Security Token Service (STS) certificate information shows in the HTML 5 client only on vCenter Server 7.0 Update 2 and later.
2. An expired STS certificate may cause vCenter to be inaccessible when connecting from a browser. In such cases, you can still view the certificate information using the following vCenter CLI command.
How to renew vCenter Certificate
If your vSphere vCenter Certificate is about to expire or already expired, you can replace all VMCA-signed certificates with new VMCA-signed certificates. The process of renewing selected certificates or all certificates in your environment can be operated from the Platform Services Controller web interface.
Renewing certificates for a vCenter Server system, you have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server system. Here are the specific steps:
1. Access the vSphere web client or the Platform Services Controller from a web browser, specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
Note: If you specified a different domain during installation, log in as administrator@ mydomain.
2. Navigate to Menu > Administration, and click Certificates > Certificate Management from the left inventory. Enter the credentials of your vCenter Server.
3. Select Machine SSL Certificate, and click Actions > Renew. A message appears that the certificate is renewed.
4. You can also renew the Solution User certificates for the local system. Click Actions > Renew to renew individual selected certificates, or click Renew All to renew all solution user certificates.
Note: If your environment includes an external Platform Services Controller, you can then renew the certificates for each vCenter Server system.
Data insurance: image-level ESXi virtual machine backups
vCenter Server is a very convenient official platform for centrally managing multiple ESXi virtual machines, patches, and automate ESXi host configuration, etc. However, it does not provide the feature of virtual machine backup. And that makes backup software the commonly accepted choice to protect VM data, and by far the most convenient.
Here I introduce you to a VMware backup software AOMEI Cyber Backup, it enables you to backup multiple VMs in 3 simple steps. And it offers you the following benefits.
✦ Agentless Backup: create complete and independent image-level backup for VMware ESXi and Hyper-V VMs.
✦ Support Free ESXi: support both paid and free versions of VMware ESXi.
✦ Multiple VM Backup: batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host.
✦ Multiple Storage Destinations: backup to local drive, or network destinations like Windows share or NAS.
✦ Automated Execution: create backup schedules to automate backups daily, weekly, monthly.
✦ Role Assignment: allows one administrator to create sub-accounts with limited privileges.
AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. Next, I will show you how to backup VMware ESXi VMs with AOMEI Cyber Backup in 3 simple steps. You can click the following button to download.
*You can choose to install this VM backup software on either Windows or Linux system.
3 simple steps to backup VMware ESXi VMs
1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device > VMware > + Add VMware Device to Add vCenter or Standalone ESXi host. And then click … > Bind Device.
2. Create Backup Task: Navigate to Backup Task > + Create New Task, and then set Task Name, Backup Type, Device, Target, Schedule, and Cleanup.
- Device: batch select large numbers of VMs managed by vCenter Server for centralized backup.
- Target: select to back up to a local path, or to a network path.
- Schedule (optional): perform full, differential, or incremental backup, and automate execution according to the frequency you specified.
- Cleanup (optional): automatically delete the old backup copies that exceed the retention period you specified.
3. Run Backup: Click Start Backup and select Add the schedule and start backup now, or Add the schedule only.
Created backup tasks will be listed and monitored separately for restoring, progress checking and schedule changing.
When restoring, you can also restore to new location to create a new VM in the same or another datastore/host directly from the backup, saving the trouble of re-configuring the new VM.
Summary
While VMware vCenter provides a centralized platform for managing multiple ESXi hosts, virtual machines, patches, and all dependent components, it could become unavailable once the certificate expired.
To help you deal with the problem of vCenter Certificate expired cannot login, this article briefly introduced vSphere Certificates and showed the steps of how to find their expiration dates and how to renew vCenter Certificate.