Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority
search cancel

Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority

book

Article ID: 328308

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

This article explains how to configure the vSphere 6.0 U1b or later VMware Certificate Authority (VMCA) as a subordinate of an existing Certificate Authority.

A VMCA exists on an embedded vCenter Server 6.0 installation and an external Platform Services Controller.

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).

Notes:
  • This task replaces the VMCA Root Certificate with a custom signing certificate and then will replace the Machine SSL certificate and Solution User certificates with certificates issued by this custom signing certificate.
  • If you have multiple Platform Services Controllers, you need to perform the preceding tasks on all Platform Services Controllers if you need to have trusted certificates for all vCenter Server 6.0 installations.
  • In some cases it may be required to distribute the Intermediate-CA certificate through the domain for the vSphere Client to automatically trust the certificates created for ESXi hosts.
  • When configuring certificates in a HA environment behind a load balancer perform the below steps on each Platform Services Controller ignoring the load balancer.
Caution:
  1. Launch the vSphere 6.0 Certificate Manager using:

    Platform Service Controller Appliance:

    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows Platform Service Controller:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 2 (Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates).

  3. A prompt with "Do you wish to generate all certificates using configuration file" will appear. This prompt refers to selecting certificate parameters for the Solution Users in step 5. It is recommended to select yes as the defaults can cause a known issue. See Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails (2144086) for more details.

  4. Provide the [email protected] password when prompted.

    A prompt with MACHINE_SSL_CERT.cfg file exists, Do you wish to reconfigure : Option[Y/N] will appear. If yes is selected, the below certificate parameters can be selected:

    Note: For vCenter Server 6.0 Update 1b or later unique names will need to be created for each Solution User, for more information, see Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails (2144086).

    Caution: The 'Name' value must be unique for each Solution User in the SSO domain. For example, use machine_FQDN for the machine.cfg configuration file.

    Please configure certool.cfg file with proper values before proceeding to next step.
    Press Enter key to skip optional parameters or use Default value.
    Enter proper value for 'Country' [Default value : US] :
    Enter proper value for 'Name' [Default value : Acme] :
    Enter proper value for 'Organization' [Default value : AcmeOrg] :
    Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
    Enter proper value for 'State' [Default value : California] :
    Enter proper value for 'Locality' [Default value : Palo Alto] :
    Enter proper value for 'IPAddress' [optional] :
    Enter proper value for 'Email' [Default value : [email protected]] :
    Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :

    Note    : The machine.cfg and vsphere-webclient.cfg will be prompted to reconfigure after the MACHINE_SSL_CRT.cfg if Y was answered in step 3.

  5. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate).

  6. Provide a directory to save the certificate signing request and private key to.

    Note: The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.

    A prompt with certool.cfg file exists, Do you wish to reconfigure? will appear. This file determines the certificate parameters for the VMCA root certificate.

  7. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Subordinate Signing Certificate, name the file root_signing_cert.cer. For more information see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Note: To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).

  8. Using a plain text editor, create a full chain with root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into a text file. For more information on how to obtain the Intermediate(s) CA certs and Root CA cert see step 12 of Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    In this example, the first certificate is the contents of root_signing_cert.cer, next is any Intermediate Certificates, and last is the Root Certificate.

    -----BEGIN CERTIFICATE-----
    MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
    CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
    Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
    SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
    NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
    ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih <-----root_signing_cert.cer
    4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----

  9. Save this file as root_signing_chain.cer.

  10. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).

  11. Provide the full path to the root_signing_chain.cer and vmca_issued_key.key.

    For example:

    Platform Service Controller Appliance:

    Please provide valid custom certificate for Root.
    File : /tmp/ssl/root_signing_chain.cer

    Please provide valid custom key for Root.
    File : /tmp/ssl/vmca_issued_key.key

    Windows Platform Service Controller:

    Please provide valid custom certificate for Root.
    File : C:\ssl\root_signing_chain.cer

    Please provide valid custom key for Root.
    File : C:\ssl\vmca_issued_key.key

  12. Answer Yes (Y) to the confirmation request to proceed.

  13. Restart all services on any external vCenter Server nodes pointing to this Platform Services Controller. For more information on how to restart vCenter Server services see Stopping, starting, or restarting VMware vCenter Server 6.x services (2109881) or Stopping, starting, or restarting VMware vCenter Server Appliance 6.0 services (2109887).
Note:


Additional Information

Error when uploading files to vCenter Server Appliance using WinSCP
How to stop, start, or restart vCenter Server 6.x services
Stopping, starting, or restarting VMware vCenter Server Appliance 6.x services
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0
Obtaining vSphere certificates from a Microsoft Certificate Authority
Configuring the vSphere 6.0 U1 or earlier VMware Certificate Authority as a Subordinate Certificate Authority
Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate
How to replace the vSphere 6.0 Solution User certs with VMCA issued certs
Build numbers and versions of VMware vCenter Server
Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails
vSphere 6.0 U1b 以降の VMware 認証局を従属認証局として構成する
将 vSphere 6.0 U1b 或更高版本 VMware Certificate Authority 配置为从属证书颁发机构

Powered by Wolken Software