# [[vsv|VMware 虚拟化]] 证书管理 > [!info]- 内容说明 > - 本页面内容适用于默认证书设置, 如需自定义设置或已使用自定义设置请联系顾问评估 > - 本页面将 vCenter 证书分为 STS 证书和其他证书 > [!question] 为什么默认设置下还需要管理证书 > - 默认设置下, 部分版本 vCenter 内部 VMCA 签名的证书两年过期, 过期后 vpxd 等核心服务将停止 ## 1 证书生命周期操作 ### 1.1 设置证书 > [!abstract] 使用默认设置, 如需自定义设置请联系顾问评估或设计 ### 1.2 检查证书 - 检查 vCenter 证书有效期 - 检查 STS 证书 [>>](https://knowledge.broadcom.com/external/article?legacyId=79248) - 下载 checksts 脚本 [KB79248](https://knowledge.broadcom.com/external/article?legacyId=79248) - 向 vCenter 传输文件 [[vsv-operating-tricks|>>]] - [[vcenter-bash-shell|vCenter Bash Shell]] -> `python checksts.py` - 检查 其他证书 [>>](https://knowledge.broadcom.com/external/article?legacyId=2015600) - [[vcenter-bash-shell|vCenter Bash Shell]] -> - `for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;` - 保存所有输出内容 - 检查 ESXi 主机证书有效期 - 适用于单台主机 - [[vsphere-client|vSphere Client]] -> `host` -> 配置 -> 系统 - 证书 - 适用于多台主机 - [[vsphere-client|vSphere Client]] -> `cluster` -> 主机 -> 左下角隐藏列, 勾选**证书有效期至** ### 1.3 监控证书有效期 - vSphere 内置告警 "签名证书无效" 提示存在将过期或已过期证书 > [!warning] 内置告警 "签名证书无效" 未包含 STS 证书, 仍需要手工检查 ### 1.4 续订或替换 vCenter 证书 - 评估 -> 实施 [[renew-vcenter-certificates|...]] ### 1.5 续订 ESXi 主机证书 - 前提条件 - vCenter 证书有效且未过期 - [[vsphere-client|vSphere Client]] -> `host` -> 配置 -> 证书 - 续订：从 VMCA 检索主机的全新签名证书 - 刷新 CA 证书：将 vCenter Server VECS 存储的 TRUSTED_ROOTS 存储中的所有证书推送到主机 --- > [!info] 本页面永久链接 https://fillgaps.pro/vsv-operating/vsv-certificate-management > [!info] 本页面最新 [PDF](https://file.fillgaps.pro/vsv-certificate-management_2404v1.pdf) 和 [Web](https://file.fillgaps.pro/vsv-certificate-management_2404v1.mht) 下载 > [!info] 本页面如有纠正或补充建议, 请发[邮件](mailto:[email protected])或公众号私信 --- ## 2 故障排除 - [[vsv-certificates-issues|...]] <!-- - 检查 vCenter 证书 SSL 信任 - 准备 - 下载脚本 [KB80469 -> Attachments](https://knowledge.broadcom.com/external/article?legacyId=80469), 传输文件至 vCenter [[vsv-operating-tricks|>>]] - `unzip lsdoctor.zip`, `cd /tmp/lsdoctor-master` - `python lsdoctor.py -l` ## 3 快速参考 - HTTPS 基础知识 [[https-101|>>]] - 替换 vCenter 证书问题 [[replace-vcenter-certificates-issues|>>]] ### 3.1 vCenter 证书类型 --> ## 3 参考资源 - VMware 文档 [[vsv-docs-contents|>>]] - VMware 知识库 [[vsv-kb-contents|>>]] - [Checking Expiration of STS Certificate on vCenter Server (79248) ](https://knowledge.broadcom.com/external/article?legacyId=79248) - 检查 vCenter Server 上 STS 证书的过期日期 (79248) - [Determining expired SSL certificates in vCenter Server and ESXi 6.x and 7.0.x (2015600)](https://knowledge.broadcom.com/external/article?legacyId=2015600) - 确定 vCenter Server 和 ESXi 6.x / 7.0.x 中过期的 SSL 证书 (2015600) - [Using the 'lsdoctor' Tool (80469)](https://knowledge.broadcom.com/external/article?legacyId=80469) - 使用 "lsdoctor" 工具 (80469) - [Verify and resolve expired vCenter Server certificates using command line (82332)](https://knowledge.broadcom.com/external/article?legacyId=82332) - 使用命令行验证和解决过期的 vCenter Server 证书 (82332) - [CertificateStatusAlarm - There are certificate that expired or about to expire/Certificate Status Change Alarm Triggered on VMware vCenter Server (68171)](https://knowledge.broadcom.com/external/article?legacyId=68171) - CertificateStatusAlarm - 存在已过期或即将过期的证书/VMware vCenter Server 上触发证书状态更改警报 (68171) - [Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)](https://knowledge.broadcom.com/external/article?legacyId=2146011) - 从 VMware Endpoint Certificate Store (VECS) 中的 TRUSTED_ROOTS store 移除到期的 CA 证书 (2146011) - [Certificate alarm - Clearing BACKUP_STORES certificates in the VCSA (82560)](https://knowledge.broadcom.com/external/article?legacyId=82560) - VMware 技术资源 [[vsv-tec-resources-contents|>>]] - 专家资源 [[vsv-sme-resources-contents|>>]] - 其他资源 [[other-resources|>>]] <!-- - [[vsv|VMware Virtualization (VSV)]] <u>Certificate management</u> - <u>Fundamentals</u> - Certificate Locations - ESXi certificates - provisioned by VMCA by default - when first added to vCenter Server and when the host reconnects - `/etc/vmware/ssl` - ==Machine SSL certificates== %% 2-years %% - for secure connections - Each vCenter Server node has its own machine SSL certificate. - Use Cases - reverse proxy service - vCenter Server service (vpxd) - VMware Directory Service (vmdir) - Solution user certificates - authenticate to vCenter Single Sign-On through SAML token exchange - `machine` - license server - logging service - `vpxd` - vCenter Server service (vpxd) - `vpxd-extension` - Auto Deploy service - inventory service - other services - `vsphere-webclient` - vSphere Client - performance chart service - `wcp` - vSphere with Tanzu - Internal Certificates - vCenter Single Sign-On SSL signing certificate %% STS Certificate %% - VMware Directory Service (VMDIR) SSL certificate - In vSphere 6.5 and later, the machine SSL certificate is used as the VMware directory certificate. - vSphere Virtual Machine Encryption Certificates - SMS self-signed certificates - See more [Where vSphere Uses Certificates](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-3AF7757E-A30E-4EEC-8A41-28DA72102520.html) - VMCA Root - MACHINE SSL - Secure Token Signing (STS) - Solution Users - LookupService or STS_INTERNAL_SSL_CERT (if exists) - data-encipherment - SMS - vSphere Certificates Interfaces - See more [Managing vCenter Server Certificates](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-CC07CA3C-FAE3-4987-B844-8B4A53C3E1FC.html) - Quick References - ==Impact when certificates expired== - vCenter certificates expired cause [[vpxd-service-start-issues|vpxd service start issues]] - Machine SSL certificates (2-years) - STS / Signing certificates - Solution user certificates - ESXi certificates expired - no impact - Resources at a glance - [vSphere Authentication](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-31D0128A-8772-4355-839D-40F8453640AB.html) - [vSphere Certificate Management | VMware](https://core.vmware.com/certificate-management) - [vSphere Certificate Management Questions & Answers | VMware](https://core.vmware.com/vsphere-certificate-management-questions-answers) - [Demystifying SSL Certificates | VMware](https://core.vmware.com/blog/demystifying-ssl-certificates) - Understanding - Delivering - Design - ==VMCA Default Certificates== %% No Design %% - VMCA Default Certificates with External SSL Certificates (Hybrid Mode) - Deploy - ==VMCA Default Certificates== %% No Deploy %% - Operating - Monitor - **Certificate Status**  - See more - Routine Maintenance - Renew each two years or less - [[vsv-certificate-management]] - ==[[replace-vcenter-certificates-signed-by-default-vmca|Replace vCenter Certificates signed by default VMCA]]== - Clear vCenter Certificates - See more - [Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)](https://knowledge.broadcom.com/external/article?legacyId=2146011) - 从 VMware Endpoint Certificate Store (VECS) 中的 TRUSTED_ROOTS store 移除到期的 CA 证书 (2146011) - [Certificate alarm - Clearing BACKUP_STORES certificates in the VCSA (82560)](https://knowledge.broadcom.com/external/article?legacyId=82560) - Troubleshooting - [[vcenter-certificates-issues|vCenter Certificates Issues]]