Changing the Primary Network Identifier/PNID on vCenter

This blog post provides a detailed overview of the Primary Network Identifier (PNID) in a vCenter deployment and explains how it can be modified if necessary. The PNID, which is typically a Fully Qualified Domain Name (FQDN), is assigned during the initial setup of vCenter.

1. Significance of the PNID:
   • The PNID serves as a unique identifier for vCenter within the network, playing a crucial role in SSL certificate generation and management.
2. Case Sensitivity in PNID:
   • If an uppercase hostname is used during vCenter deployment, such as VCF-VC01.ASH.LOCAL, it is essential to maintain case consistency throughout all configurations.
   • When replacing certificates, the Certificate Signing Request (CSR) must exactly mirror the case used in the hostname:
     • For an uppercase hostname, the CSR must use an uppercase Common Name.
     • For a lowercase hostname, the CSR must use a lowercase Common Name.
   • Ensuring this alignment between the hostname and the Common Name in the CSR is critical to avoid certificate validation issues and ensure proper functioning of the vCenter.
3. Changing the PNID:
   • Modifying the PNID after deployment is a complex and delicate process, typically undertaken only in specific scenarios, such as during migrations or advanced configurations. A thorough understanding of the initial PNID setup is crucial to prevent the need for later changes.

Why is that a key consideration?

When vCenter is deployed with a specific hostname, attempting to update certificates later may result in the following warning:

“Error occurred while fetching TLS: Invalid input certificate: The Subject of the provided certificate does not contain the correct CN value.”

This typically leads to SSO (Single Sign-On) and login failures, preventing access to vCenter. The issue stems from the case-sensitive nature of the VMware vCenter Server Appliance (VCSA). Both the hostname configured during deployment and the Common Name (CN) in the certificates must be identical in case (either uppercase or lowercase). Inconsistencies between the hostname and the CN can cause certificate validation failures, triggering login and authentication issues.

As you run the VCF diagnostic tool as shown in the video, you get a warning

Change the PNID in the Center using CLI

You can use the command below to check the PNID:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

To change the PNID via the CLI, use the command

/usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid --server-name localhost --pnid <pnid-name>

To restart vCenter services, use the command

service-control --stop --all
service-control --start --all

After the vCenter Server services have been restarted, the new PNID will be displayed in the VAMI.

How to match the vCenter name and PNID

To ensure the hostname aligns with the PNID, modify the vCenter Server Name, then click Save and restart the appliance to apply the changes.

After the vCenter Server services have been restarted, the new PNID will be displayed in the VAMI and the PNID and the vCenter name will match.

Conclusion

A mismatch between the PNID and the vCenter name, followed by an attempt to update the CSR, will lead to SSO errors that may prevent access to vCenter. The PNID acts as a unique identifier for vCenter, and any alterations to it will impact services and integrated applications connected to vCenter, including VASA, vCHA, Aria Operations, Aria Automation, and others. After implementing these changes, you will likely need to rejoin the vCenter Server Appliance (vCSA) to Active Directory, regenerate any custom certificates, and re-register all integrated services with the vCSA. Once these steps are completed, you should be able to apply the TLS certificates without encountering SSO warnings.