• Secure the ESXi hosts HTTPS connection with Custom signed certificates for a large number of ESXi hosts.
• Replace the vCenter server default self-signed VMCA with a custom-signed VMCA.

Symptoms:
For a large number of ESXi hosts, it is not the best practice to replace each ESXi host SSL certificate with custom-signed certificates manually.

To achieve this objective we have to change the vCenter server VMCA root certificate to be signed by the CA, As illustrated in the below figure:

Replacing the VMCA certificate with a signed root certificate will subsequently re-issue the vCenter Machine SSL, Solution Users, STS signing certificates and also will re-issue new signed certificates to the ESXi hosts that are signed by the VMCA that acts as a Subordinate CA.

Important: Before proceeding with the steps below, take both backup and a snapshot of the vCenter Server Appliance. If the vCenter is part of a Enhanced Linked Mode (ELM) replication setup, also take a backup or offline (powered off) snapshot of all replicating vCenter ELM nodes.

To replace the vCenter server's default self-signed VMCA with a custom-signed VMCA, need to follow the below workflow:

1. Generate the private key and Certificate Signing Request.
2. Create a new template for vSphere 6.x/7.x to use for VMCA as a Subordinate CA on the MS CA Server.
3. Obtain VMCA Certificate from the MS CA Server.
4. Import the signed certificate and key.
5. Manually renew ESXi host SSL certificates by the signed VMCA.

Generating the private key and Certificate Signing Request (CSR):

• Use the vCenter Certificate Manager utility to generate the private key and CSR.
• Choose option 2, to replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates.
• This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for the VMCA Root Signing certificate.

Creating a new template for vSphere 6.x/7.x to use for VMCA as a Subordinate CA on the MS CA Server:

• After generating the private key and CSR, Creating a new template for vSphere 6.x/7.x to use for VMCA as a Subordinate CA is a prerequisite for generating the signed certificate for the vCenter VMCA.
• Need to follow the steps to create and add the template to the MS CA.

Obtaining the VMCA Certificate from the MS CA Server:

• Generate the certificate in the form of ".CER" base-64-encoded file, using the VMCA Subordinate template created in step 2.

Importing the signed certificate and key to the vCenter server:

Upload the ".CER" base-64-encoded file vmca_issued_fullchain.cer, vmca_issued_key.key, and root-ca.cer to the vCenter /tmp directory using WinSCP.
those files will be used to import the signed certificate to the vCenter server.

Note: We have two utilities that we can use to import the ".CER" base-64-encoded file and key

1. The vCenter server embedded Certificate Manager utility.
2. The vCert utility, it’s a shell script that provides management capability for most certificate-related operations on the vCenter Server Appliance versions 6.5/6.7/7.0/8.0. You may refer to the KB - vCert - Scripted vCenter Expired Certificate Replacement

2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Option [1 or 2]: 2

Please provide valid custom certificate for Root.
File : /tmp/FullChain.cer

Please provide valid custom key for Root.
File : /tmp/vmca_issued_key.key