Using vSphere Certificate Manager to Replace SSL Certificates
search cancel

Using vSphere Certificate Manager to Replace SSL Certificates

book

Article ID: 318946

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

How to use vSphere Certificate Manager?

vSphere Certificate Manager:

The vSphere Certificate Manager can be used to:

  • Implement Default Certificates
  • Replace VMCA Certificate with a custom CA Certificate
  • Replace all vSphere Certificates and Keys with custom CA Certificates and Keys
  • Replace / download / import machine SSL certificates

Implement Default Certificates (use Option 4 or 8):

  • This option is the most preferred with the least amount of overhead in implementing, it is used when not planning on implementing custom CA Certificates signed by either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
  • In this environment, the vSphere certificates are generated and issued by the VMware Certificate Authority (VMCA) and stored by the vSphere Endpoint Certificate Store (VECS).
  • These certificates are not trusted outside of vSphere by default.
  • If Machine SSL & Solution User Certificates are expired, use Option 8 (Reset all Certificates).

Replace VMCA Certificate with a custom CA Certificate (use Option 2):

  • In this environment, replace the default VMCA Certificate and Key with a custom CA Certificate and Key from either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
  • The VMCA will then be used to generate new vSphere certificates that will be signed by the previously imported custom CA Certificate and Key.
  • These certificates issued by the VMCA will be trusted outside of vSphere.
  • VMware does not recommend operating VMCA as a subordinate (or intermediate) certificate authority. Choosing this option might encounter significant complexity and the potential for a negative impact to the security, and an unnecessary increase in operational risk. For example, a rogue administrator with full access to the vCenter could mint fully trusted and valid certificates that are trusted all the way up to the organization’s Root CA

Replace all vSphere Certificates and Keys with custom CA Certificates and Keys (use Option 5):

  • In this environment, replace the Machine Certificate and all Solution User Certificates with custom CA Certificates signed by either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
  • The VMCA is not responsible for issuing these certificates.

Environment

vCenter Server 7.x, 8.x

Resolution

Replacing Certificates using Certificate Manager tool

     Take a snapshot of the vCenter before performing this activity. If the vCenter is in linked mode, take offline snapshots of all the linked vCenter together.

  • To launch the vSphere Certificate Manager, execute the following command:

/usr/lib/vmware-vmca/bin/certificate-manager

  •  
  • If the PNID on the vCenter is unknown, it can be obtained with this command:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  •  
  • If the default SSO domain is unknown as it has been customized from the default values - vsphere.local. It can be obtained with this command.
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
  •  
  • When running the certificate-manager command, the screen presents with the 8 options as shown in the screenshot.

Details of the Options:

Option #DetailRequired Information
1Replace the Machine SSL certificate with a Custom CA Certificate
Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.
  • administrator@vsphere.local password.
  • Path to a custom Certificate and Key for the Machine Certificate.
  • Path to a custom Certificate for the VMCA Root
2Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates.

This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate.
  • administrator@vsphere.local password

  • Configure the certool.cfg file at /usr/lib/vmware-vmca/share/config/certool.cfg (used by VMCA when generating certificates)

  • Root Signing Cert

  • Root Signing Key


Optional Information:

Is replacing all Solution User certificates with custom CA needed? 

  • YES: Paths to the custom Certificates and Keys for the Solution Users (vpxd, vpxd-extension, vsphere-webclient, machine).

Note: Optionally perform this step later using Option 5.

  • NO: VMCA will generate new Certificates/Keys for Solution Users using the provided Custom CA Signing Certificate.

Note: Optionally perform this step later using Option 6. 

Is replacing the Machine SSL Certificate with custom CA needed?

  • YES: Path to a custom Certificate and Key for the Machine Certificate.

Note: Optionally perform this step later using Option 1.

  • NO: VMCA will generate a new Certificate/Key for Machine using the provided Custom CA Signing Certificate.

Note: Optionally perform this step later using Option 3.

3Replace the Machine SSL certificate with a VMCA Generated Certificate
  • administrator@vsphere.local password
  • Configure the certool.cfg file (used by VMCA when generating certificates)
  • Starting in vCenter Server 8.0 U3, self-signed certificates are generated with RSA-3072 keys (that is, the key lengths are 3072 bits)
4Regenerate a new default VMCA Root Certificate and Replace all Certificates
  • administrator@vsphere.local password
  • Configure the certool.cfg file (used by VMCA when generating certificates)
5Replace the Solution User Certificates with Custom CA Certificates
  • administrator@vsphere.local password
  • Path to the custom Root CA Certificate
  • Path to the custom Certificate and Key for vpxd Solution User
  • Path to the custom Certificate and Key for vpxd-extension Solution User
  • Path to the custom Certificate and Key for vSphere-webclient Solution User
  • Path to the custom Certificate and Key for machine Solution User
  • Path to the Custom Certificate and Key for hvc Solution User 
  • Path to the Custom Certificate and Key for wcp Solution User
6Replace the Solution User Certificates with VMCA generated Certificates
  • administrator@vsphere.local password
  • Configure the certool.cfg file (used by VMCA when generating certificates)
7Revert last performed operation by re-publishing old certificates
  • administrator@vsphere.local password
8Reset all certificates
  • administrator@vsphere.local password
  • Configure the certool.cfg file (used by VMCA when generating certificates)

Note 2: The certool.cfg is located at:

  • /usr/lib/vmware-vmca/share/config/certool.cfg
  • The default configuration of certool.cfg should look like the following Screenshot:

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ

  • Note: Certificate manager tool should be run as the root user. 
  • Note: Currently, vCenter Server integrates only with VMCA. The vSphere Certificate Manager and VMCA cannot be used to issue certificates to any other products.
  • Note: May impact connected products ie: SRM, vSphere Replication, Horizon View, etc. 
Log file location:
  • The vSphere Certificate Manager stores a certificate-manager.log file in at:
    /var/log/vmware/vmcad/certificate-manager.log

Check VECS certificate validation using following command:

  • for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done