VCDA - Certificate Replacement with XCA

8 months ago

On-Premises to Cloud vCenter Replication Appliance (VC to VC, no VCD in the mix)
In a non Microsoft CA Environment (home lab), “XCA – X Certificate and Key Management” is used a a portable windows app to mint root and application certificates.
https://github.com/chris2511/xca

Please read this blog post on how to setup XCA, the root cert and how to mint application certs.
https://vmscribble.com/vcenter/vmware-vcsa-use-xca-for-root-and-intermediate-certificate-authority/
In XCA, reminder to add the DNS and IP under the SAN.

https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/availability-admin-guide-4-7/vcav-administration-in-the-cloud/certificates-management/replacing-vcav-certificates/managing-the-vcav-certificates-in-the-cloud/upload-a-ca-signed-certificate.html
Notes the PKCS#12 (.pfx) certificate file and the private key use the same password.
The PKCS#12 file contains only one entry: the private key and its corresponding certificate and, optionally, the certificate trust chain. The trust chain must be part of the same keystore entry and must not be provided as separate entries in the PKCS#12 file
Export the new VCDA cert as “PKCS #12 chain (*pfx). You will be asking to enter a password. You now have a file: site-a-vcda.my.lab.pfx

Ensure you take a backup before the change. You can also shut down the VM, snapshot, power on.
You can find the old certificate as another rollback option./opt/vmware/h4/manager/config and NOT /opt/vmware/h4/serviceType/config/keystore.p12.bak as listed in the manual.

Login to the VCDA /ui/admin website
Configuration / Settings / Appliance settings / Certificate / Import
Choose the site-a-vcda.my.lab.pfx file and enter the same password used to create the export.
Click apply and you will be kicked out to the login screen.

The homepage will show
vSphere plugin – Status: OUTDATED
Replicator Services – Degradated functionality (2)
Click more will show the “Local Replicator Services (1)” is offline for the node itself and “Remote Replicator Services (1)
” showing the pair site as offline.
The vcenter plugin will show “no healthy upstream”
The pair VCDA will report “Certificate differs from the expected one.” for the VCDA node we just replaced the cert on.

Per the manual
https://techdocs.broadcom.com/us/en/vmware-cis/cloud-director/availability/4-7/availability-admin-guide-4-7/vcav-administration-on-premises/replace-the-certificate-of-the-on-premises-appliance.html
Resolve the vCenter plugin via – Service endpoints – Lookup Service address – Edit to re-enter the vCenter account used.
3 vCenter task will kick off Undeploy plug-in / Download plug-in / Deploy plug-in
Replicator Services – Replicator Services administration – Show “Permission denied.” – Click Repair, Test connection to approve the cert and apply.
Peer Sites – The other site shows Authentication failure. – Repair The popup will show the new cert.
Repeat the same process on the other VCDA node.

Once all is validated (I like to reboot the VM), delete the VM snapshot if taken.