Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate
search cancel

Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

book

Article ID: 316601

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a vCenter Machine SSL certificate with a Custom Certificate Authority (CA) signed certificate:

Notes:
  • For vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
  • For vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, this task must performed on each machine.
  • VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.

Environment

  • vCenter 7.x
  • vCenter 8.x

Resolution

If using Microsoft Certificate Authority for the custom machine cert, and it is not yet configured with a template to use, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (315271).

  1. Launch the VMware Certificate Manager:

    vCenter Server 6.x/7.x/8.x Appliance:
    /usr/lib/vmware-vmca/bin/certificate-manager

  2. Select Option 1 (Replace Machine SSL certificate with custom certificate).
  3. Provide the [email protected] password when prompted.
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
  5. Enter the directory in to save the certificate signing request and the private key.

    • Note: Refer to the below information to enter values for CSR generation.

      Country:         Two uppercase letters only (Eg. US), the country where the company is located.
      Name:            FQDN of the vCenter Server (Note: This will be the Certificate Subject Alternate Name)
      Organization: Company Name
      OrgUnit:         The name of the department within the organization. Example: "IT"
      State:             The state/province where the company is located
      Locality:         The city where the company is located.
      IPAddress:     IP Address of vCenter Server
      Email:            Email Address
      Hostname:     FQDN of vCenter Server (This field accepts multiple entries separated by comma. For example: VCSA1.vsphere.local,vcsa1,ip address of vCenter Server)
      VMCA Name: FQDN of vCenter Server

    • Make sure the Primary Network Identifier (PNID) matches the Hostname.
      To obtain the PNID and hostname please refer to the following command:

      /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.

  6. Provide the vmca_issued_csr.csr to the Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (315372).

    Note: For more information on allowing WinSCP connections to a vCenter Server Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP (326317).

  7. Return to the vCenter server Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

  8. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.


    Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain (leaf) from top down, including machine, inter ca(s), and root certs, in proper order.

    The machine_name_ssl.cer should be a complete chain file similar to the order below:

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Certificate

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Intermediate Certificate

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Root Certificate

    -----END CERTIFICATE-----

    For example:

    Provide a valid custom certificate for Machine SSL.

    File : /tmp/ssl/machine_name_ssl.cer

    Provide a valid custom key for Machine SSL.

    File : /tmp/ssl/machine_name_ssl.key

    Provide the signing certificate of the Machine SSL certificate.

    File : /tmp/ssl/Root64.cer

  9. Answer Yes (Y) to the confirmation request to proceed.

 

Additional Information

Powered by Wolken Software