This guide provides a step-by-step process to renew your VxRail Manager certificate using an Active Directory Certificate Authority (CA) manually.
The instructions apply to VxRail 7.0.010 release and later, as well as version 8.x.
Step 1: Take a Snapshot of VxRail Manager
Before making any changes, create a snapshot of VxRail Manager with memory to ensure you have a backup in case anything goes wrong.
Step 2: Log into VxRail Manager via SSH
Access the VxRail Manager over SSH using the "mystic" user, then switch to root by using the following command:
su root{codeBox}
Step 3: Backup the SSL Certificates
Create a backup of the current SSL certificates by copying them to a temporary directory.
mkdir /tmp/ssl
cp /etc/vmware-marvin/ssl/* /tmp/ssl/{codeBox}
Step 4: Generate a New Private Key
Generate a 4096-bit RSA private key on the VxRail Manager using OpenSSL command:
env OPENSSL_FIPS=1 openssl-1.0.2 genrsa -out /etc/vmware-marvin/ssl/server.key 4096{codeBox}
Step 5: Set Proper Permissions on the Key
Adjust the file permissions to ensure only the appropriate users have access:
chmod 640 /etc/vmware-marvin/ssl/server.key{codeBox}
Step 6: (Optional) Modify CA Configuration
If you need to edit the certificate password or other configuration details, modify the "/etc/vmware-marvin/ssl/ca.cnf" file using vi text editor.
Step 7: Generate the Certificate Signing Request (CSR)
Create the CSR using OpenSSL command. This request will be submitted to your CA.
env OPENSSL_FIPS=1 openssl-1.0.2 req -config /etc/vmware-marvin/ssl/ca.cnf -new -key /etc/vmware-marvin/ssl/server.key -out /etc/vmware-marvin/ssl/server.csr{codeBox}
Note: You can customize the certificate settings by editing the ca.cnf file before generating the CSR.{alertInfo}
Step 8: View the CSR and Copy Its Contents
Display the contents of the CSR and copy everything, including the dashes.
cat /etc/vmware-marvin/ssl/server.csr{codeBox}
Step 9: Submit the CSR to the Certificate Authority (CA)
- If you are using Microsoft CA, access your certificate server through "http://<cert-server>/certsrv/".
- Choose "Request a certificate" and "Advanced certificate request".
- Select the "Web Server" template and paste the contents of the CSR into the request box.
- Choose "Base 64 encoded" and download the certificate.
Step 10: Export the Certificate and Root Certificate
- Open the downloaded certificate and choose "Copy to File" in the details pane, saving it as "vxmgr.cer" in Base-64 encoded format.
- In the certification path pane, select the root certificate, view its details, and export it as "root.cer" in Base-64 format.
Step 11: Convert the Private Key to RSA Format
Convert the private key to RSA format with the following command:
openssl rsa -in /etc/vmware-marvin/ssl/server.key -out /etc/vmware-marvin/ssl/rsa.key{codeBox}
Step 12: View the RSA Key and Copy Its Contents
Use the "cat" command to display the contents of the RSA key, then copy everything.
cat /etc/vmware-marvin/ssl/rsa.key{codeBox}
Step 13: Update the Certificate in VxRail Manager
In the vCenter, navigate to the cluster:
- Select Configure → VxRail → Certificate.
- In the "Certificate file content" field, paste the contents of vxmgr.cer.
- In the "Private key file content" field, paste the contents of rsa.key.
- In the "Certificate chain content" field, paste the contents of root.cer.
The chain might have an intermediate certificate also that you need to export and paste, the root should be the first one followed by the intermediate. - Once all fields are filled out, click the "Update" button. This will restart the VxRail Manager services.
Step 14: Run the Certificate Utility Script
Execute the cert_util.py script to finalize the certificate update. You can find more details here.
Step 15: Verify the Certificate
To ensure the new certificate is trusted, open a browser and navigate to the VxRail Manager API documentation page:
https://<VxM_IP>/rest/vxm/api-doc.html{codeBox}
Step 16: Check VxRail SSL Thumbprint on vCenter
Make sure that the VxRail-SSL-Thumbprint in the vCenter custom attributes matches the following command output.
openssl s_client -connect localhost:443 | openssl x509 -fingerprint -noout -sha1{codeBox}
By following these steps, you will have successfully renewed your VxRail Manager certificate with your AD Certificate Authority manually. Always ensure the SSL thumbprint is consistent between VxRail and vCenter to avoid any issues with VxRail add-on connectivity on vCenter.
Note: If the VxRail Manager certificate has expired and the VxRail plugin UI is not displaying correctly, you can resolve this by running the cert_util.py script with the "-r" argument:
python cert_util.py -rOnce the plugin is functioning as expected, proceed with applying the new certificate through the VxRail plugin.{alertInfo}