Handy Command and Articles to troubleshoot PSC and Certificate related query in vCenter

List of commands:

To find the PNID:

• /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
• "C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-pnid --server-name localhost

Which PSC is my VC pointing to:

• /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
• C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-ls-location --server-name localhost

Get the site name where my PSC/VC is:

• /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
• C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name  --server-name localhost

SSO Domain name:

• /etc/vmware/install-defaults/vmdir.domain-name
• C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name

Certificate Manager Location:

• Windows vCenter Server:  C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
• vCenter Server Appliance:  /usr/lib/vmware-vmca/bin/certificate-manager

Location for the cert store:

• /usr/lib/vmware-vmafd/bin à includes vecs-cli , dir-cli, vmafd-cli

Hard copy of the certificate available in:

• /var/lib/vmware/vmca/root.cer
• ProgramData\VMware\CIS\data\vmca\root.cer

To get the copy of the MACHINE_SSL_CERT and the KEY used :

• /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.crt
• /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.key
•  

Location for certificates that we most commonly use :

1. STS certificate : etc/vmware-sso/keys/ssoserver.crt
2. VMDIRD certificate : /usr/lib/vmware-vmdir/share/config/vmdircert.pem

Location for the certs in jexlorer:

     >>Trusted roots ====>ConfigurationàCertificate authority

     >>Lookup service ==>ConfigurationàSitesà”Site-name”àLookupserviceàService Registrations

    >>Solution users =====>Service Principals

    >>STS certs -->Services-->Identity manager-->Tenants-->vsphere.local-->TenanatCredential-1

To view the certificates using openssl command:

• openssl x509 -in certificate.crt -noout -text | less
• openssl s_client -connect “Server FQDN”:443

Eg: To get the machine SSL for vcsa1.gsslabs.org:

      openssl s_client -connect ORLpD1PSC-VIP.catmktg.com:443

Get the lstool output:

• /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk  > /tmp/psc_services.txt

• "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk  > c:\psc_services.txt

Different scenarios lstool is used:

• To output vCenter's service ID only in a particular site:

à/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://PSC.FQDN/lookupservice/sdk --site <site-name> --type vcenterserver --id-only

• To export the inforation as spec file(text file):

         à/usr/lib/vmidentity/tools/scripts/lstool.py get --url https://PSC.FQDN/lookupservice/sdk --id      "vCenter's service-id" --as-spec > /tmp/vcenterserver.txt

• How to edit the spec file and re-register back:

à/usr/lib/vmidentity/tools/scripts/lstool.py reregiter --url https://PSC.FQDN/lookupservice/sdk --id "vCenter's service-id --spec /tmp/vcenterserver.txt --user administrator@vsphere.local --password "VMware!"

• Get the service ID associated with the NODE ID:

              /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --node "NODE ID of the PSC/VC" --id-only >/tmp/node.txt

     To get the node ID: /etc/vmware/install-defaults  -à vmdir.ldu-guid

• Determining replication agreements and status with the Platform Services Controller 6.x 

                   https://kb.vmware.com/s/article/2127057

• Manually reviewing certificates in VMware Endpoint Certificate Store

   https://kb.vmware.com/s/article/2111411

• Updating SSL Trust Anchors (When there is a thumbprint mismatch )

                   https://kb.vmware.com/s/article/50112066

• Removing expired certs from trusted roots:

            https://kb.vmware.com/s/article/2146011

• Feature walkthrough for cert replacement:

     https://featurewalkthrough.vmware.com/t/vsphere-6-5/ssl-certificate-replacement-hybrid-mode/19

• Obtaining vSphere certificates from a Microsoft Certificate Authority and creating templates for SSL cert creation

                    https://kb.vmware.com/s/article/2112014

                    https://kb.vmware.com/s/article/2112009

• The steps for the certificate generation/replacement in the Load balancer environment:

      https://kb.vmware.com/s/article/2147627 

• Generating the STS certificates:

   https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-497233EA-AEF9-464B-A9C3-CCAEEA90C801.html

• Replacing the vmdird certificates :

                  https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-585CF428-2BBC-47CE-A386-9A39D3DFE0BF.html

• Removing the Service ID :

                https://kb.vmware.com/s/article/2050273 

• Using the cmsso command to unregister vCenter Server from Single Sign-On :

  https://kb.vmware.com/s/article/2106736

• Repoint vCenter Server 6.x between External PSC within a site

                 https://kb.vmware.com/s/article/2113917