After figuring out why a “not so frequently” used vCenter is not working and failing to start, it turned out the VCSA had certificates recently expired. No problem, just run certificate-manager and reset all certificates. Having done this a long time ago, I had forgotten one important thing: Certificate Name should be PNID of VCSA. The new certificates were still generated, but certificate-manager would fail to start all services, remaining stuck at 85%.

PNID can be found out as follows:

root@esxmgmt01 [ ~ ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

The whole process is nicely described here. By accident I came across Virtham’s page. vCert script he is providing supposedly comes dicrectly from VMware and it seems to be sort of certificate-manager on steroids. I had shamelessly stole it as the script seems pretty handy.