One increasingly common question VMware Support receives from customers is around the topic of going from vCenter Server 5.5 with an embedded SSO to vCenter Server 6.0 with an external PSC.
A common issue seen by VMware Support is when SSL certificates expire. In vCenter Server 5.1 and 5.5 recovering from expired certificates (without re-installing) requires a very specific set of instructions otherwise you may end up needing to re-install.
In vSphere 6.0 you have Solution Users that internal vCenter/PSC services use to interact. These Solution Users use certificates to log into services and components instead of maintaining passwords.
You have the option to replace these certificates with your own certificates or use VMCA issued certificates.
To solve a separate problem, the ability to control the Certificate Subject information in the Solution Users was added in an update to the vSphere Certificate-Manager with 6.0 U1b that allows the user to specify the Subject information for each Solution User.
Update: vSphere 6.0 U3 has made improvements to the Certificate-Manager to prevent you from getting into this issue. You will be only asked to complete one cfg file and the tool will automatically make a value unique using the Solution User ID.
Configuring PSC HA to utilise SSL Pass-through basically means we don’t have any SSL Certificate on the Load Balancer VIP. To achieve this all PSC’s in the PSC HA Cluster are required to present the same certificate.
It also means that if you suspect your load balancer may be the cause of an issue, you can make vCenter bypass the load balancer directly to a PSC by creating a hosts file entry on the vCenter which maps the IP of a PSC to the Load Balanced FQDN.