I’ve been looking at updating our vcenter certificate managers to use certificates signed by our internal PKI. Having not done a huge amount of work with certs, it’s a little daunting, but running through the process on a nested test lab reduces the stress factor – it’s not really an issue even if it all screws up
The process is fairly well documented here (and here for updating the vmhost certs), but I found some odd errors that threw me.
Issue 1 – Can’t install the cert for an hour after it’s been signed.
If you try to install the certificate straight away you get an error and it rolls back the update. Looking in the log (/var/log/vmware/vmcad/certificate-manager.log) I found this error :
2018-11-21T15:26:45.424Z INFO certificate-manager Command output :- Using config file : /var/tmp/vmware/MACHINE_SSL_CERT.cfg Error: 70034, VMCAGetSignedCertificatePrivate() failedStatus : Failed Error Code : 70034 Error Message : Start Time Error
Simply waiting until the certificate is more than an hour old allows the cert to be successfully installed. No idea why…
Issue 2 – Can’t deploy updated certs to vmhosts until the certificate is more than 24h old
If you try and update vmhost certificates straight away, the task errors with the message :
Again, simply waiting until the certificate is more than 24h allows certificates to be deployed successfully.
YAVB - Rich Dowling 