Obtaining vSphere certificates from a Microsoft Certificate Authority
search cancel

Obtaining vSphere certificates from a Microsoft Certificate Authority

book

Article ID: 315372

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The purpose of this article is the explain how to provide a certificate signing request (CSR) to a Microsoft Certificate Authority (CA) and generate a certificate for PSC/VCSA.

Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 5.1.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server Appliance 6.0.x

Resolution

Process to obtain vSphere certificates from a Microsoft Certificate Authority:

Note: The VMCA requires that the certificate have a valid date of at least 24 hours prior.
  1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
  2. Click the Request a certificate (.csr ) link.
  3. Click advanced certificate request.
Advance certificate request VMware
  1. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
  2. Open the certificate request (typically vmca_issued_csr.csr - refer to Step 6 in KB Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate) in a plain text editor and copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
 
Example:

-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
Microsoft CA Certificate request
  1. Select the appropriate Certificate Template. For more information, see:

    Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108)
    Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009)
3.png
 
  1. Click Submit to submit the request.
  2. Click Base 64 encoded on the Certificate issued screen.
  3. Click the Download Certificate link.
  4. Save the certificate as rui.crt in the appropriate c:\certs\service directory.
  5. Repeat Steps 2 to 10 for each additional services/certificates.
  6. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
  7. Select the Base 64 option.
  8. Click the Download CA Certificate chain link.
  9. Save the certificate chain as cachain.p7b in the c:\certs folder.
  10. Double-click the cachain.p7b file to open it in the Certificate Manager.
  11. Navigate to C:\certs\cachain.p7b > Certificates.
  12. Right-click the certificate listed and click All Actions > Export.
  13. Click Next.
  14. Select Base-64 encoded X.509 (.CER), and then click Next.

    Note: Step 21 assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels of Certificate Authorities, before exporting the certificate into Base-64 encoded X.509 (.CER), if you have multiple certificates on the.p7b file, you cannot export them to Base64 at the same time; you must export each intermediate certificate to a separate file. For example, create files named C:\certs\interm64-1.cer, C:\certs\interm64-2.cer, C:\certs\Root64.cer. After completion, concatenate the certificates into a single file named cachain.cer.

    -----BEGIN CERTIFICATE-----
    MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
    CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
    Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Intermediate 1 Certificate
    SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
    NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
    ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
    4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate 2 Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----

    Note: There must be no text before the -----BEGIN CERTIFICATE----- or after the -----END CERTIFICATE----- in the .crt or .cer files.
     
  15. Save the export to C:\certs\Root64.cer and click Next.
  16. Click Finish.

Adding a "certificate chain" as Machine SSL certificate:

When using an external CA, the MACHINE_SSL_CERT needs to contain all certificate starting from the root, like:
  • machine_ssl.cer: This is a complete chain of leaf + intermediateCAs(if applicable) + rootCA
  • Root64.cer: This is a chain of intermediateCAs(if applicable) + RootCA
Then the Certificate Manager CLI Tool requests those two chain files, along with the key (Refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate for Certificate Manager CLI)

     Please provide a valid custom certificate for Machine SSL.
     File : /tmp/ssl/machine_name_ssl.cer

     Please provide a valid custom key for Machine SSL.
     File : /tmp/ssl/machine_name_ssl.key

     Please provide the signing certificate of the Machine SSL certificate
     File : /tmp/ssl/Root64.cer

The full certificate chain is installed into the MACHINE_SSL_CERT VECS
The chain of CAs is installed in TRUSTED_ROOTS VECS

The reason for the full certificate chain in the MACHINE_SSL_CERT is so that the product/server presents the full SSL Chain when accessed via a browser/client and is required especially if a customer is using any Offline CA where an Intermediate CA is not installed in their Browser/Client OS Certificate Store.

Note: This is not recommended by VMware Engineering apart from cases where the customer uses offline CA. All TLS connections made via certificate added this way will be considered secure even if that may not be the case.

Additional Information