Workflow to Replace vCenter Server's Default Self-Signed VMCA with a Custom-Signed VMCA

Attention: Before beginning, ensure you have taken both a backup and a snapshot of the vCenter Server Appliance. If the vCenter is configured for Enhanced Linked Mode (ELM), also back up or take an offline (powered off) snapshot of all replicating vCenter ELM nodes.

The process involves the following steps:

1. Generate the private key and Certificate Signing Request (CSR).
2. Create a new VMCA Subordinate CA template on the Microsoft Certificate Authority (MS CA) Server for vSphere 8.x.
3. Obtain the signed VMCA Certificate from the MS CA Server.
4. Import the signed certificate and key to the vCenter server.
5. Manually renew ESXi host SSL certificates using the newly signed VMCA.

Generating the Private Key and CSR

• Use the vCenter Certificate Manager utility and select Option 2 to replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates.
• This option will provide a sub-option to generate the necessary Certificate Signing Request(s) and Key(s) for the VMCA Root Signing certificate.

Creating a VMCA Subordinate CA Template (vSphere 8.x):

• After generating the private key and CSR, it is a prerequisite to create a new template for vSphere 8.x to use for VMCA as a Subordinate CA on the MS CA Server.
• Follow the referenced knowledge base article (Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere) to create and add the template to the MS CA.

Obtaining the VMCA Certificate:

• Generate the certificate from the MS CA Server in the form of a Base-64-encoded ".CER" file, utilizing the VMCA Subordinate template created in the previous step.

Importing the Signed Certificate and Key:

• Transfer the following files to the vCenter /tmp directory using a tool like WinSCP:
• vmca_issued_fullchain.cer (the Base-64-encoded ".CER" file)
• vmca_issued_key.key
• root-ca.cer
• These files are used for the certificate import process.

Import Utilities:

You can use one of the following two utilities to import the signed certificate and key:

1. The vCenter server embedded Certificate Manager utility.
2. The vCert utility: A shell script providing certificate management capabilities for vCenter Server Appliance. (vCert - Scripted vCenter expired certificate replacement).

Using the vCenter Server Embedded Certificate Manager Utility:

• Select Option 2 within the utility: "Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate."
• Option [1 or 2]: 2
  
  
• Please provide valid custom certificate for Root.
• File : /tmp/FullChain.cer
  
  
• Please provide valid custom key for Root.
• File : /tmp/vmca_issued_key.key

Note: If the import process fails using the Certificate Manager utility, please engage VMware support.

Manually Renewing ESXi Host SSL Certificates

• After the VMCA replacement, attempting to refresh the ESXi host certificate through the vSphere client or manually renewing them via ESXi host SSH, as per the established workflow, will not result in an immediate certificate change.
• The HTTPS connection will display as "Not secure" for up to 24 hours. This delay is by design, as the VMware Certificate Authority pre-dates VMware vSphere ESXi certificates by 24 hours to prevent time synchronization issues.
• After the 24-hour period, retry the ESXi host certificate renewal. A new SSL certificate signed by the new VMCA should then be successfully issued to the ESXi host.