Step by step instruction on how to correctly chain Machine, Intermediary and Root Custom certificates to import into vCenter

Using the legacy certificate-manager CLI tool:

As outlined in step 8 of Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate:

1. Create a temporary directory to store keys and CSR
     ■    cd /root
     ■    mkdir ssl

2. Record the PNID and the IP of the VCSA
     ■    /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
     ■    ifconfig 

3. Run the certificate manager utility on CLI
     ■    /usr/lib/vmware-vmca/bin/certificate-manager

4. Select option 1 "Replace Machine SSL certificate with Custom Certificate" 

5. Press enter to use the default SSO admin & enter the SSO admin password 

6. Select option 1 to generate CSR

7. Enter the values for the certificate as required by your organization 
     ■    When prompted for "Name" in the second input value, enter the PNID (FQDN if PNID is IP) of the VCSA here 
     ■    When prompted for IP address, enter the IP of the VC 
     ■    When prompted for hostname, use the PNID of the VC
     ■    For VMCA name use the short name of the PNID 

8. Provide location as /root/ssl/ 

9. Select option 2 to exit the cert manager

10. You can either use WinSCP to export the newly created CSR or just simply run cat on the csr file and copy paste the contents 

11. Use this CSR to generate the certificate from the internal CA

12. Chain the certificate to be in the following format
    ■    Leaf certificate > Inter Cert (if any) > root cert : call this file the certificate

    ■    Example:

-----BEGIN CERTIFICATE-----
(<-----Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(<-----Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(<-----Root Certificate)
-----END CERTIFICATE-----

    ■    Also prepare the root cert in the following format: Inter (if any) > Root 
    ■    Example: 

-----BEGIN CERTIFICATE-----
(<-----Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(<-----Root Certificate)
-----END CERTIFICATE----

13.  Once all the certs are prepared, use WinSCP to place them back into /root/ssl - ensure you have the same keys that were generated from the first time when CSR was generated. You can also just open the prepared certs in notepad and then run vi on the VCSA to copy and paste the contents
14. Run the certificate manager tool again and select option 1 then select option 2 to import
15. Provide path to each file as prompted

• Some additional info for chaining the certificates:
  • Open the certificate on desktop and click the "Certification Path" tab

• In this example the chain is root certificate → leaf certificate
• Click on the root certificate and the click "View Certificate"
• Once the root certificate is opened, click on the "Details" tab and select "Copy to File". A wizard will open up
• In the wizard click next and then select the format to be "Base-64 encoded X.509 (.CER)"
• Save this file as root.cer
• I now have 2 certificates in my working directory (leaf and root)
• Open the leaf certificate in notepad (right click and select open with)
• Now open the the root certificate with notepad also
• Copy the contents of the root certificate and paste them at the bottom of the leaf certificate file
• It is now chained in the following format: leaf → root
• Save
• You can now use these for importing into VCSA to use as custom certificates