SSH<\/p>\n\n\n\n
log on to the vCenter server using SSH using the root account and type<\/p>\n\n\n\n
shell
for store in $(\/usr\/lib\/vmware-vmafd\/bin\/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; \/usr\/lib\/vmware-vmafd\/bin\/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;<\/p>\n\n\n\n
You will get a list of all the certs (not the STS cert) on the vCenter.
Check the expiry date to see if any have or are going to expire.<\/p>\n\n\n\n
Web interface<\/p>\n\n\n\n
Go to the Admin menu and select Administration<\/p>\n\n\n\n Then on the left select Certificate Management.<\/p>\n\n\n\n To renew the certs you will need to run the Checking the STS Certificate<\/strong><\/p>\n\n\n\n The STS (Security Token Service) is not listed above and when that expires nothing is going to work. It used be visible in the flash UI in the same place as all the other certs. But not anymore. Before making any changes make sure you have a backup and\/or snapshot of the vCenter\/PSC you are working on.<\/p>\n\n\n\n I go straight to downloading the Checksts.py script<\/p>\n\n\n\n I find the easy way is to simple SSH to the vCenter. open vi, paste in the contacts of the script and save it.<\/p>\n\n\n\n Shell Paste in the code and python checksts.py if you get a syntax error then check the script as some times the first couple of lines to not get copyed in.<\/p>\n\n\n\n You will get a list of the 2 STS certs and there expiry date. If they need to be renewed keep reading.<\/p>\n\n\n\n Renewing STS certs<\/strong><\/p>\n\n\n\n Please do not just blindly follow the below steps. Read the KB articles so you understand what you are doing.<\/p>\n\n\n\n There are certificate that expired or about to expire<\/a> Again, I find the easy way is to simply SSH to the vCenter. open vi, paste in the contacts of the script and save it.<\/p>\n\n\n\n Shell Paste in the code and chmod +x fixsts.sh Now you can restart services or reboot the vCenter<\/p>\n\n\n\n service-control –stop –all I will list the scripts below for easy copy and pasting.<\/p>\n\n\n\n I hope this is of use.<\/p>\n\n\n\n <\/p>\n\n\n\n checksts.pl<\/p>\n\n\n <\/p>\n\n\n\n fixsts.sh<\/p>\n\n\n If you look after a vCenter or VCSA at some point you are going to have the certificates expire on you. And if you look after a lot of vCenter servers then expiring Certs are a constant headache that pops up just at the time that is most inconvenient. VMWare detail that only in some…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[44,1,43],"tags":[125,126,47,127,128,20,46],"class_list":["post-634","post","type-post","status-publish","format-standard","hentry","category-fix","category-uncategorized","category-vmware","tag-cert","tag-certificate","tag-expired","tag-expiring","tag-sts","tag-vcenter","tag-vcsa"],"_links":{"self":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/634","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=634"}],"version-history":[{"count":3,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/634\/revisions"}],"predecessor-version":[{"id":682,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=\/wp\/v2\/posts\/634\/revisions\/682"}],"wp:attachment":[{"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=634"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=634"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jasonstreet.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=634"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/192.168.8.14\/wp-content\/uploads\/2021\/03\/image.png\")
![\"\"](\"http:\/\/192.168.8.14\/wp-content\/uploads\/2021\/03\/image-1-1024x423.png\")
Certificate manager<\/a><\/p>\n\n\n\n
A useful KB is here<\/a> that details determining if the STS cert has expired. If the vCenter has been rebooted then I do not get the error in the vpxd-svcs.log. The KB for renewing the cert is here<\/a><\/p>\n\n\n\n
cd \/tmp
vi checksts.py<\/p>\n\n\n\n
type [Esc] then : then w! [enter]
type [Esc] then : then q [enter]
You can now run the script using <\/p>\n\n\n\n
<\/p>\n\n\n\n
Signing certificate is not valid<\/a><\/p>\n\n\n\n
cd \/tmp
vi fixsts.sh<\/p>\n\n\n\n
type [Esc] then : then w! [enter]
type [Esc] then : then q [enter]
You now need to make the script executable and then it can be run.<\/p>\n\n\n\n
.\/fixsts.sh<\/p>\n\n\n\n
service-control –start –all<\/p>\n\n\n\n\n#!\/opt\/vmware\/bin\/python\n\n\n"""\nCopyright 2020-2022 VMware, Inc. All rights reserved. -- VMware Confidential\nAuthor: Keenan Matheny (keenanm@vmware.com)\n\n"""\n##### BEGIN IMPORTS #####\n\nimport os\nimport sys\nimport json\nimport subprocess\nimport re\nimport pprint\nimport ssl\nfrom datetime import datetime, timedelta\nimport textwrap\nfrom codecs import encode, decode\nimport subprocess\nfrom time import sleep\ntry:\n # Python 3 hack.\n import urllib.request as urllib2\n import urllib.parse as urlparse\nexcept ImportError:\n import urllib2\n import urlparse\n\nsys.path.append(os.environ['VMWARE_PYTHON_PATH'])\nfrom cis.defaults import def_by_os\nsys.path.append(os.path.join(os.environ['VMWARE_CIS_HOME'],\n def_by_os('vmware-vmafd\/lib64', 'vmafdd')))\nimport vmafd\nfrom OpenSSL.crypto import (load_certificate, dump_privatekey, dump_certificate, X509, X509Name, PKey)\nfrom OpenSSL.crypto import (TYPE_DSA, TYPE_RSA, FILETYPE_PEM, FILETYPE_ASN1 )\n\ntoday = datetime.now()\ntoday = today.strftime("%d-%m-%Y")\n\nvcsa_kblink = "https:\/\/kb.vmware.com\/s\/article\/76719"\nwin_kblink = "https:\/\/kb.vmware.com\/s\/article\/79263"\n\n##### END IMPORTS #####\n\nclass parseCert( object ):\n # Certificate parsing\n\n def format_subject_issuer(self, x509name): \n items = []\n for item in x509name.get_components():\n items.append('%s=%s' % (decode(item[0],'ascii'), decode(item[1],'ascii')))\n return ", ".join(items)\n\n def format_asn1_date(self, d):\n return datetime.strptime(decode(d,'ascii'), '%Y%m%d%H%M%SZ').strftime("%Y-%m-%d %H:%M:%S GMT")\n\n def merge_cert(self, extensions, certificate):\n z = certificate.copy()\n z.update(extensions)\n return z\n\n def __init__(self, certdata):\n\n built_cert = certdata\n self.x509 = load_certificate(FILETYPE_PEM, built_cert)\n keytype = self.x509.get_pubkey().type()\n keytype_list = {TYPE_RSA:'rsaEncryption', TYPE_DSA:'dsaEncryption', 408:'id-ecPublicKey'}\n extension_list = ["extendedKeyUsage",\n "keyUsage",\n "subjectAltName",\n "subjectKeyIdentifier",\n "authorityKeyIdentifier"]\n key_type_str = keytype_list[keytype] if keytype in keytype_list else 'other'\n\n certificate = {}\n extension = {}\n for i in range(self.x509.get_extension_count()):\n critical = 'critical' if self.x509.get_extension(i).get_critical() else ''\n\n if decode(self.x509.get_extension(i).get_short_name(),'ascii') in extension_list:\n extension[decode(self.x509.get_extension(i).get_short_name(),'ascii')] = self.x509.get_extension(i).__str__()\n\n certificate = {'Thumbprint': decode(self.x509.digest('sha1'),'ascii'), 'Version': self.x509.get_version(),\n 'SignatureAlg' : decode(self.x509.get_signature_algorithm(),'ascii'), 'Issuer' :self.format_subject_issuer(self.x509.get_issuer()), \n 'Valid From' : self.format_asn1_date(self.x509.get_notBefore()), 'Valid Until' : self.format_asn1_date(self.x509.get_notAfter()),\n 'Subject' : self.format_subject_issuer(self.x509.get_subject())}\n \n combined = self.merge_cert(extension,certificate)\n cert_output = json.dumps(combined)\n\n self.subjectAltName = combined.get('subjectAltName')\n self.subject = combined.get('Subject')\n self.validfrom = combined.get('Valid From')\n self.validuntil = combined.get('Valid Until')\n self.thumbprint = combined.get('Thumbprint')\n self.subjectkey = combined.get('subjectKeyIdentifier')\n self.authkey = combined.get('authorityKeyIdentifier')\n self.combined = combined\n\nclass parseSts( object ):\n\n def __init__(self):\n self.processed = []\n self.results = {}\n self.results['expired'] = {}\n self.results['expired']['root'] = []\n self.results['expired']['leaf'] = []\n self.results['valid'] = {}\n self.results['valid']['root'] = []\n self.results['valid']['leaf'] = []\n\n def get_certs(self,force_refresh):\n urllib2.getproxies = lambda: {}\n vmafd_client = vmafd.client('localhost')\n domain_name = vmafd_client.GetDomainName()\n\n dc_name = vmafd_client.GetAffinitizedDC(domain_name, force_refresh)\n if vmafd_client.GetPNID() == dc_name:\n url = (\n 'http:\/\/localhost:7080\/idm\/tenant\/%s\/certificates?scope=TENANT'\n % domain_name)\n else:\n url = (\n 'https:\/\/%s\/idm\/tenant\/%s\/certificates?scope=TENANT'\n % (dc_name,domain_name))\n return json.loads(urllib2.urlopen(url).read().decode('utf-8'))\n\n def check_cert(self,certificate):\n cert = parseCert(certificate)\n certdetail = cert.combined\n\n # Attempt to identify what type of certificate it is\n if cert.authkey:\n cert_type = "leaf"\n else:\n cert_type = "root"\n \n # Try to only process a cert once\n if cert.thumbprint not in self.processed:\n # Date conversion\n self.processed.append(cert.thumbprint)\n exp = cert.validuntil.split()[0]\n conv_exp = datetime.strptime(exp, '%Y-%m-%d')\n exp = datetime.strftime(conv_exp, '%d-%m-%Y')\n now = datetime.strptime(today, '%d-%m-%Y')\n exp_date = datetime.strptime(exp, '%d-%m-%Y')\n \n # Get number of days until it expires\n diff = exp_date - now\n certdetail['daysUntil'] = diff.days\n\n # Sort expired certs into leafs and roots, put the rest in goodcerts.\n if exp_date <= now:\n self.results['expired'][cert_type].append(certdetail)\n else:\n self.results['valid'][cert_type].append(certdetail)\n \n def execute(self):\n\n json = self.get_certs(force_refresh=False)\n for item in json:\n for certificate in item['certificates']:\n self.check_cert(certificate['encoded'])\n return self.results\n\ndef main():\n\n warning = False\n warningmsg = '''\n WARNING! \n You have expired STS certificates. Please follow the KB corresponding to your OS:\n VCSA: %s\n Windows: %s\n ''' % (vcsa_kblink, win_kblink)\n parse_sts = parseSts()\n results = parse_sts.execute()\n valid_count = len(results['valid']['leaf']) + len(results['valid']['root'])\n expired_count = len(results['expired']['leaf']) + len(results['expired']['root'])\n \n \n #### Display Valid ####\n print("\\n%s VALID CERTS\\n================" % valid_count)\n print("\\n\\tLEAF CERTS:\\n")\n if len(results['valid']['leaf']) > 0:\n for cert in results['valid']['leaf']:\n print("\\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']\/365)))\n else:\n print("\\tNone")\n print("\\n\\tROOT CERTS:\\n")\n if len(results['valid']['root']) > 0:\n for cert in results['valid']['root']:\n print("\\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']\/365)))\n else:\n print("\\tNone")\n\n\n #### Display expired ####\n print("\\n%s EXPIRED CERTS\\n================" % expired_count)\n print("\\n\\tLEAF CERTS:\\n")\n if len(results['expired']['leaf']) > 0:\n for cert in results['expired']['leaf']:\n print("\\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))\n continue\n else:\n print("\\tNone")\n\n print("\\n\\tROOT CERTS:\\n")\n if len(results['expired']['root']) > 0:\n for cert in results['expired']['root']:\n print("\\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))\n continue\n else:\n print("\\tNone")\n\n if expired_count > 0:\n print(warningmsg)\n\n\nif __name__ == '__main__':\n exit(main())\n\n\n<\/pre><\/div>\n\n\n\n#!\/bin\/bash\n# Run this from the affected PSC\/VC\n# Luciano Delorenzi [ldelorenzi@vmware.com] - 1\/2\/2020\n\n# NOTE: This works on external and embedded PSCs\n# This script will do the following\n# 1: Regenerate STS certificate\n#\n#\n# What is needed?\n# 1: Offline snapshots of VCs\/PSCs\n# 2: SSO Admin Password\n\nNODETYPE=$(cat \/etc\/vmware\/deployment.node.type)\nif [ "$NODETYPE" = "management" ]; then\n echo "Detected this node is a vCenter server with external PSC."\n\techo "Please run this script from a vCenter with embedded PSC, or an external PSC"\n\texit 0\nfi\n\n\necho "NOTE: This works on external and embedded PSCs"\necho "This script will do the following"\necho "1: Regenerate STS certificate"\necho "What is needed?"\necho "1: Offline snapshots of VCs\/PSCs"\necho "2: SSO Admin Password"\necho "IMPORTANT: This script should only be run on a single PSC per SSO domain"\n\n\nmkdir -p \/tmp\/vmware-fixsts\nSCRIPTPATH="\/tmp\/vmware-fixsts"\nLOGFILE="$SCRIPTPATH\/fix_sts_cert.log"\n\necho "==================================" | tee -a $LOGFILE\necho "Resetting STS certificate for $HOSTNAME started on $(date)" | tee -a $LOGFILE\necho ""| tee -a $LOGFILE\necho ""\nDN=$(\/opt\/likewise\/bin\/lwregshell list_values '[HKEY_THIS_MACHINE\\Services\\vmdir]' | grep dcAccountDN | awk '{$1=$2=$3="";print $0}'|tr -d '"'|sed -e 's\/^[ \\t]*\/\/')\necho "Detected DN: $DN" | tee -a $LOGFILE \nPNID=$(\/opt\/likewise\/bin\/lwregshell list_values '[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]' | grep PNID | awk '{print $4}'|tr -d '"')\necho "Detected PNID: $PNID" | tee -a $LOGFILE\nPSC=$(\/opt\/likewise\/bin\/lwregshell list_values '[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]' | grep DCName | awk '{print $4}'|tr -d '"')\necho "Detected PSC: $PSC" | tee -a $LOGFILE\nDOMAIN=$(\/opt\/likewise\/bin\/lwregshell list_values '[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]' | grep DomainName | awk '{print $4}'|tr -d '"')\necho "Detected SSO domain name: $DOMAIN" | tee -a $LOGFILE\nSITE=$(\/opt\/likewise\/bin\/lwregshell list_values '[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]' | grep SiteName | awk '{print $4}'|tr -d '"')\nMACHINEID=$(\/usr\/lib\/vmware-vmafd\/bin\/vmafd-cli get-machine-id --server-name localhost)\necho "Detected Machine ID: $MACHINEID" | tee -a $LOGFILE\nIPADDRESS=$(ifconfig | grep eth0 -A1 | grep "inet addr" | awk -F ':' '{print $2}' | awk -F ' ' '{print $1}')\necho "Detected IP Address: $IPADDRESS" | tee -a $LOGFILE\nDOMAINCN="dc=$(echo "$DOMAIN" | sed 's\/\\.\/,dc=\/g')"\necho "Domain CN: $DOMAINCN"\nADMIN="cn=administrator,cn=users,$DOMAINCN"\nUSERNAME="administrator@${DOMAIN^^}"\nROOTCERTDATE=$(openssl x509 -in \/var\/lib\/vmware\/vmca\/root.cer -text | grep "Not After" | awk -F ' ' '{print $7,$4,$5}')\nTODAYSDATE=$(date | awk -F ' ' '{print $6,$2,$3}')\n\necho "#" > $SCRIPTPATH\/certool.cfg\necho "# Template file for a CSR request" >> $SCRIPTPATH\/certool.cfg\necho "#" >> certool.cfg\necho "# Country is needed and has to be 2 characters" >> $SCRIPTPATH\/certool.cfg\necho "Country = DS" >> $SCRIPTPATH\/certool.cfg\necho "Name = $PNID" >> $SCRIPTPATH\/certool.cfg\necho "Organization = VMware" >> $SCRIPTPATH\/certool.cfg\necho "OrgUnit = VMware" >> $SCRIPTPATH\/certool.cfg\necho "State = VMware" >> $SCRIPTPATH\/certool.cfg\necho "Locality = VMware" >> $SCRIPTPATH\/certool.cfg\necho "IPAddress = $IPADDRESS" >> $SCRIPTPATH\/certool.cfg\necho "Email = email@acme.com" >> $SCRIPTPATH\/certool.cfg\necho "Hostname = $PNID" >> $SCRIPTPATH\/certool.cfg\n\necho "==================================" | tee -a $LOGFILE\necho "==================================" | tee -a $LOGFILE\necho ""\necho "Detected Root's certificate expiration date: $ROOTCERTDATE" | tee -a $LOGFILE\necho "Detected today's date: $TODAYSDATE" | tee -a $LOGFILE\n\necho "==================================" | tee -a $LOGFILE\n\nflag=0\nif [[ $TODAYSDATE > $ROOTCERTDATE ]];\nthen\n echo "IMPORTANT: Root certificate is expired, so it will be replaced" | tee -a $LOGFILE\n flag=1\n\tmkdir \/certs && cd \/certs\n cp $SCRIPTPATH\/certool.cfg \/certs\/vmca.cfg\n \/usr\/lib\/vmware-vmca\/bin\/certool --genselfcacert --outprivkey \/certs\/vmcacert.key --outcert \/certs\/vmcacert.crt --config \/certs\/vmca.cfg\n \/usr\/lib\/vmware-vmca\/bin\/certool --rootca --cert \/certs\/vmcacert.crt --privkey \/certs\/vmcacert.key\nfi\n\necho "#" > $SCRIPTPATH\/certool.cfg\necho "# Template file for a CSR request" >> $SCRIPTPATH\/certool.cfg\necho "#" >> $SCRIPTPATH\/certool.cfg\necho "# Country is needed and has to be 2 characters" >> $SCRIPTPATH\/certool.cfg\necho "Country = DS" >> $SCRIPTPATH\/certool.cfg\necho "Name = STS" >> $SCRIPTPATH\/certool.cfg\necho "Organization = VMware" >> $SCRIPTPATH\/certool.cfg\necho "OrgUnit = VMware" >> $SCRIPTPATH\/certool.cfg\necho "State = VMware" >> $SCRIPTPATH\/certool.cfg\necho "Locality = VMware" >> $SCRIPTPATH\/certool.cfg\necho "IPAddress = $IPADDRESS" >> $SCRIPTPATH\/certool.cfg\necho "Email = email@acme.com" >> $SCRIPTPATH\/certool.cfg\necho "Hostname = $PNID" >> $SCRIPTPATH\/certool.cfg\n\n\n\necho ""\necho "Exporting and generating STS certificate" | tee -a $LOGFILE\necho ""\n\ncd $SCRIPTPATH\n\n\/usr\/lib\/vmware-vmca\/bin\/certool --server localhost --genkey --privkey=sts.key --pubkey=sts.pub\n\/usr\/lib\/vmware-vmca\/bin\/certool --gencert --cert=sts.cer --privkey=sts.key --config=$SCRIPTPATH\/certool.cfg\n\nopenssl x509 -outform der -in sts.cer -out sts.der\nCERTS=$(csplit -f root \/var\/lib\/vmware\/vmca\/root.cer '\/-----BEGIN CERTIFICATE-----\/' '{*}' | wc -l)\nopenssl pkcs8 -topk8 -inform pem -outform der -in sts.key -out sts.key.der -nocrypt\ni=1\nuntil [ $i -eq $CERTS ]\ndo\n\topenssl x509 -outform der -in root0$i -out vmca0$i.der\n\t((i++))\ndone\n\necho ""\necho ""\nread -s -p "Enter password for administrator@$DOMAIN: " DOMAINPASSWORD\n\n\nTENANTS=$(\/opt\/likewise\/bin\/ldapsearch -h localhost -p 389 -b "cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "(objectclass=vmwSTSTenantCredential)" | grep numEntries | awk '{print $3}')\necho ""\nTRUSTEDCERTCHAINS=$(\/opt\/likewise\/bin\/ldapsearch -h localhost -p 389 -b "cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "(objectclass=vmwSTSTenantTrustedCertificateChain)" | grep numEntries | awk '{print $3}')\necho "Amount of tenant credentials: $TENANTS" | tee -a $LOGFILE\ni=1\nif [ ! -z $TENANTS ] \nthen\n\tuntil [ $i -gt $TENANTS ]\n\tdo\n\t\techo "Exporting tenant $i to $SCRIPTPATH" | tee -a $LOGFILE\n\t\techo ""\n\t\tldapsearch -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -b "cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > $SCRIPTPATH\/tenantcredential-$i.ldif\n\t\techo "Deleting tenant $i" | tee -a $LOGFILE\n\t\tldapdelete -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" | tee -a $LOGFILE\n\t\t((i++))\n\tdone\nfi\necho ""\n\necho "Amount of trustedcertchains: $TRUSTEDCERTCHAINS" | tee -a $LOGFILE\ni=1\nif [ ! -z $TRUSTEDCERTCHAINS ] \nthen\n\tuntil [ $i -gt $TRUSTEDCERTCHAINS ]\n\tdo\n\t\techo "Exporting trustedcertchain $i to $SCRIPTPATH" | tee -a $LOGFILE\n\t\tldapsearch -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -b "cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > $SCRIPTPATH\/trustedcertchain-$i.ldif\n\t\techo ""\n\t\techo "Deleting trustedcertchain $i" | tee -a $LOGFILE\n\t\tldapdelete -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" | tee -a $LOGFILE\n\t\t((i++))\n\tdone\nfi\necho ""\n\ni=1\necho "dn: cn=TenantCredential-1,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > sso-sts.ldif\necho "changetype: add" >> sso-sts.ldif\necho "objectClass: vmwSTSTenantCredential" >> sso-sts.ldif\necho "objectClass: top" >> sso-sts.ldif\necho "cn: TenantCredential-1" >> sso-sts.ldif\necho "userCertificate:< file:sts.der" >> sso-sts.ldif\nuntil [ $i -eq $CERTS ]\ndo\n\techo "userCertificate:< file:vmca0$i.der" >> sso-sts.ldif\n\t((i++))\ndone\necho "vmwSTSPrivateKey:< file:sts.key.der" >> sso-sts.ldif\necho "" >> sso-sts.ldif\necho "dn: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" >> sso-sts.ldif\necho "changetype: add" >> sso-sts.ldif\necho "objectClass: vmwSTSTenantTrustedCertificateChain" >> sso-sts.ldif\necho "objectClass: top" >> sso-sts.ldif\necho "cn: TrustedCertChain-1" >> sso-sts.ldif\necho "userCertificate:< file:sts.der" >> sso-sts.ldif\ni=1\nuntil [ $i -eq $CERTS ]\ndo\n\techo "userCertificate:< file:vmca0$i.der" >> sso-sts.ldif\n\t((i++))\ndone\necho ""\necho "Applying newly generated STS certificate to SSO domain" | tee -a $LOGFILE\n\n\/opt\/likewise\/bin\/ldapmodify -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -f sso-sts.ldif | tee -a $LOGFILE\necho ""\necho "Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain" | tee -a $LOGFILE\necho "==================================" | tee -a $LOGFILE\necho "IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure" | tee -a $LOGFILE\necho "==================================" | tee -a $LOGFILE\necho "==================================" | tee -a $LOGFILE\nif [ $flag == 1 ]\nthen\n\techo "Since your Root certificate was expired and was replaced, you will need to replace your MachineSSL and Solution User certificates" | tee -a $LOGFILE\n\techo "You can do so following this KB: https:\/\/kb.vmware.com\/s\/article\/2097936" | tee -a $LOGFILE\nfi\n\n\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"