VxRail: Unable to Log In to vCenter Due to Expired Certificates

Summary: VxRail 7.x and 8.x: Unable to log in to vCenter due to expired certificates. Certificates must be re-issued. VxRail 7.0.480 or later: A Warning shows for certificate expires in less than 60 days, recommend renewing the certificate in advance. This procedure resets the following certificates to VMCA signed certificates: Machine SSL (including SSL Trust Anchors and vCenter extension thumbprints) Solution Users (including vCenter extension thumbprints) STS Signing ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Scenario 1: The vCenter certificate is already expired. 

  • Unable to log in to vCenter UI.
  • Any log-in attempt when the Web UI is available fails even with correct credentials.
    VCSA Web Login shows "user name and password required" after login try
  • Restart of vCenter Server Appliance (VCSA) services fails.
  • Restart of services does not bring up all services.

Errors observed:

/var/log/vmware/vpxd-svcs/vpxd-svcs.log:
2020-06-03T09:31:04.523Z [pool-8-thread-1  INFO  com.vmware.identity.token.impl.X509TrustChainKeySelector  opId=905f6864-c067-4db6-828c-1d59c4b43bf8] Failed to find trusted path to signing certificate <CN=ssoserverSign>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

Scenario 2: The vCenter certificate expires in less than 60 days. (For VxRail 7.0.480 and above versions)

  • Log in to vCenter UI is completed but VxRail 7.0.480 and later versions show a Warning in VxRail Cluster > Configure > VxRail > Certificate > All Trust Store Certificates page stating that the certificate expires in less than 60 days.
    Certificate will expire warning in VCSA UI

 

Cause

vCenter certificates are expired or expiring soon. 
 

Resolution

For either Scenario Follow these steps using the vCert tool to reset all certificates on vCenter to VMCA signed certificates.

Note: This procedure is intended for single PSC or VCSA VMs which are maintained through VxRail LifeCycle Manager (LCM). For HA, ELM, or Customer deployed VCSAs, open a VMware ticket!
Note: Take OFFLINE snapshots of VxRail Manager (VRM) and VCSA!
Note: Check if the snapshot creating process has finished without errors! Do NOT continue without valid snapshots!
Note: If issues are encountered, do not retry without reverting to snapshots!
 
  1. Download the vCert tool from VMware: vCert - Scripted vCenter Expired Certificate ReplacementThis hyperlink is taking you to a website outside of Dell Technologies.
  2. Upload the .zip file to vCenter using WinSCP or similar. In this example, we uploaded it to the /tmp directory
  3. SSH to vCenter using root credentials and unzip the file using the extract command (The filename will change based on the version): 
    cd /tmp
unzip vCert-6.0.0-20250218.zip
  4. Enter the vCert directory and start the script: 
    cd vCert-6.0.0-20250218
./vCert.py
  5. At the menu, enter option 6 for: Reset all certificates with VMCA-signed certificates 
    VCF/VVF Certificate Management Utility (version 6.0.0)
-----------------------------------------------------------------
 1. Check current certificate status
 2. View certificate info
 3. Manage certificates
 4. Manage SSL trust anchors
 5. Check configurations
 6. Reset all certificates with VMCA-signed certificates
 7. ESXi certificate operations
 8. Restart services
 9. Generate certificate report
 E. Exit

Select an option [1]: 6
  6.  The "Certificate Signing Request Information" can be left default or updated with company and or environment information. We left it default in this example: 
    Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):
  7. The script resets the vCenter certificates. 
  8.  Once complete, follow Dell VxRail: How to Manually Import vCenter SSL Certificate on VxRail Manager to import the certificates into the VxRail Manager trust store.

Additional Information

  • ALWAYS take snapshots of System VMs (VCSA, and VRM) before following this article.
  • This procedure is intended for VCSA VMs which are maintained through VxRail LCM.
    NOTE: Some third-party products must be re-registered, or the new VMCA Root CA added to be trusted (product specific - check product documentation). This as communication is broken due to Root or VCSA certificate change.
  • If a user has certificates from their own infrastructure, they can replace them now.

 

Affected Products

VxRail Appliance Family, VxRail Appliance Series, VxRail G Series Nodes, VxRail E Series Nodes, VxRail E560, VxRail E560F, VxRail E560N, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560F , VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570F, VxRail P580N, VxRail P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S670, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570F, VXRAIL V670F, VxRail VD-4510C, VxRail VD-4520C, VxRail VE-660, VxRail VE-6615, VxRail VP-760, VxRail VP-7625, VxRail VS-760 ...
Article Properties
Article Number: 000082108
Article Type: Solution
Last Modified: 05 Sep 2025
Version:  12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.