Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority
Article ID: 328308
Updated On:
Products
VMware vSphere ESXi
VMware vCenter Server
Issue/Introduction
This article explains how to configure the VMware Certificate Authority (VMCA) as a subordinate of an existing Certificate Authority.
The VMCA exists on an embedded vCenter Server 6.x/7.x/8.x installation and an external Platform Services Controller (no longer available in vSphere 7.x/8.x).
The VMCA exists on an embedded vCenter Server 6.x/7.x/8.x installation and an external Platform Services Controller (no longer available in vSphere 7.x/8.x).
Resolution
If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere.
Notes:
- This task replaces the VMCA Root Certificate with a custom signing certificate and then will replace the Machine SSL certificate and Solution User certificates with certificates issued by this custom signing certificate.
- If you have multiple Platform Services Controllers, you need to perform the preceding tasks on all Platform Services Controllers if you need to have trusted certificates for all vCenter Server installations.
- In some cases it may be required to distribute the Intermediate CA certificate through the domain for the vSphere Client to automatically trust the certificates created for ESXi hosts.
- When configuring certificates in a HA environment behind a load balancer perform the below steps on each Platform Services Controller ignoring the load balancer.
Caution:
- The VMCA requires that the certificates have been valid for at least 24 hours prior.
- If you are running an earlier version than vCenter Server 6.0 U1b refer to Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority.
- Launch the vSphere Certificate Manager using:
Platform Service Controller Appliance / vCenter Server Appliance:
Windows Platform Service Controller:# /usr/lib/vmware-vmca/bin/certificate-manager# C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager - Select Option 2 (
Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates). - A prompt asking "
Do you wish to generate all certificates using configuration file" will appear. This prompt refers to selecting certificate parameters for the Solution Users in step 5. It is recommended to select yes as the defaults can cause a known issue. See Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails for more details. - Provide the password for the administrator account (
[email protected]) when prompted.
A prompt withMACHINE_SSL_CERT.cfg file exists, Do you wish to reconfigure : Option[Y/N]will appear. If yes is selected, the below certificate parameters can be selected:
Note: For vCenter Server 6.0 Update 1b or later unique names will need to be created for each Solution User, for more information, see Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails.
Caution: The'Name'value must be unique for each Solution User in the SSO domain. For example, usemachine_FQDNfor themachine.cfgconfiguration file.
Note: ThePlease configure certool.cfg file with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper value for 'Country' [Default value : US] : Enter proper value for 'Name' [Default value : Acme] : Enter proper value for 'Organization' [Default value : AcmeOrg] : Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] : Enter proper value for 'State' [Default value : California] : Enter proper value for 'Locality' [Default value : Palo Alto] : Enter proper value for 'IPAddress' [optional] : Enter proper value for 'Email' [Default value : [email protected]] : Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :machine.cfgandvsphere-webclient.cfgwill be prompted to reconfigure after theMACHINE_SSL_CRT.cfgifYwas answered in step 3. - Select Option 1 (
Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate). - Provide a directory to save the certificate signing request and private key to.
Note: The files created will have the namesvmca_issued_csr.csrandvmca_issued_key.key.
A prompt withcertool.cfg file exists, Do you wish to reconfigure?will appear. This file determines the certificate parameters for the VMCA root certificate. - Provide the
vmca_issued_csr.csrto your Certificate Authority to generate a Subordinate Signing Certificate, name the fileroot_signing_cert.cer. For more information see Obtaining vSphere certificates from a Microsoft Certificate Authority.
Note: To allow WinSCP connections to a vCenter Server Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP fails.... - Using a plain text editor, create a full chain with
root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into a text file. For more information on how to obtain the Intermediate(s) CA certs and Root CA cert see step 12 of Obtaining vSphere certificates from a Microsoft Certificate Authority.
In this example, the first certificate is the contents of root_signing_cert.cer, next is any Intermediate Certificates, and last is the Root Certificate.
-----BEGIN CERTIFICATE----- MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih <-----root_signing_cert.cer 4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= -----END CERTIFICATE----- - Save this file as
root_signing_chain.cer. - Return to the vSphere Certificate Manager and select Option 1 (
Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate). - Provide the full path to the
root_signing_chain.cerandvmca_issued_key.key.
For example:
Platform Service Controller Appliance:
Please provide valid custom certificate for Root. File : /tmp/ssl/root_signing_chain.cer Please provide valid custom key for Root. File : /tmp/ssl/vmca_issued_key.key
Windows Platform Service Controller:
Please provide valid custom certificate for Root. File : C:\ssl\root_signing_chain.cer Please provide valid custom key for Root. File : C:\ssl\vmca_issued_key.key - Answer
Yes (Y)to the confirmation request to proceed. - Restart all services on any external vCenter Server nodes pointing to this Platform Services Controller. For more information on how to restart vCenter Server services see Stop, Start or Restart Services on vCenter Server 6.x or Higher or Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x & above services.
Note:
- If you are running an external Platform Services Controller, after following the steps in this article you need to run the vSphere Certificate Manager on the external vCenter Server and perform these tasks:
- 3. Replace the Machine SSL certificate with a new VMCA certificate. For more information see Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate.
- 6. Replace the Solution user certificates with new VMCA certificates. For more information see How to replace the vSphere 6/7/8.x Solution User certs with VMCA issued certs.
Additional Information
- Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B
- Stop, Start or Restart Services on vCenter Server 6.x or Higher
- Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere
- Obtaining vSphere certificates from a Microsoft Certificate Authority
- Configuring the vSphere 6.0 U1 or earlier VMware Certificate Authority as a Subordinate Certificate Authority
- Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate
- How to replace the vSphere 6/7/8.x Solution User certs with VMCA issued certs
- Build numbers and versions of VMware vCenter Server
- Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails
Feedback
Yes
No
Powered by
