Certificate

Introduction As of vSphere 6.0U1, VMware allow an embedded vCenter server deployment to be reconfigured to an external deployment, which demotes the Platform Services Controller (PSC) components of the embedded node and points the VC server to an external PSC node which resides in the same Single Sign On (SSO) domain as the source embedded node. This is done by using the utility cmsso-util Before we get too much further, there are two main uses for cmsso-util:

I manage an Exchange 2013 deployment at work which is configured in Hybrid with Office365. Recently we had to change our SSL certificate that was being used for both TLS for the hybrid connection and also for our client facing DNS names. Due to changes with our 3rd party SSL certificate provider, this was a new SSL certificate installation rather than a renewal. I generated the certificate and installed it onto all of the Exchange servers on-premises and during our change window, made the changes to bind the services to the new certificate and then ran the Hybrid connection wizard to update the certificate used in our On-Prem send connector to Office365 and also to the receive connector in our Office365 tenant.

Recently I’ve gone through the process of replacing the machine_ssl certificates on our vCenter and PSC nodes at work, and shortly after I went to use Update Manager and received the following error: sysimage.fault.SSLCertificateError We opted for the ‘Hybrid’ model of certificates in vSphere 6, where the machine_ssl certificate on the PSC and VC server nodes is replaced with an externally signed certificate, and the VMCA takes care of all of the solution user certificates using the default configuration.