Step by step instruction on how to correctly chain Machine, Intermediary and Root Custom certificates to import into vCenter
1. Create a temporary directory to store keys and CSR
■ cd /root
■ mkdir ssl
2. Record the PNID and the IP of the VCSA
■ /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
■ ifconfig
3. Run the certificate manager utility on CLI
■ /usr/lib/vmware-vmca/bin/certificate-manager
4. Select option 1 "Replace Machine SSL certificate with Custom Certificate"
5. Press enter to use the default SSO admin & enter the SSO admin password
6. Select option 1 to generate CSR
7. Enter the values for the certificate as required by your organization
■ When prompted for "Name" in the second input value, enter the PNID (FQDN if PNID is IP) of the VCSA here
■ When prompted for IP address, enter the IP of the VC
■ When prompted for hostname, use the PNID of the VC
■ For VMCA name use the short name of the PNID
8. Provide location as /root/ssl/
9. Select option 2 to exit the cert manager
10. You can either use WinSCP to export the newly created CSR or just simply run cat on the csr file and copy paste the contents
11. Use this CSR to generate the certificate from the internal CA
12. Chain the certificate to be in the following format
■ Leaf certificate > Inter Cert (if any) > root cert : call this file the certificate
■ Also prepare the root cert in the following format: Inter (if any) > Root
■ For example:
-----BEGIN CERTIFICATE-----
(<-----Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(<-----Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(<-----Root Certificate)
-----END CERTIFICATE-----
13. Once all the certs are prepared, use WinSCP to place them back into /root/ssl - ensure you have the same keys that were generated from the first time when CSR was generated. You can also just open the prepared certs in notepad and then run vi on the VCSA to copy and paste the contents
14. Run the certificate manager tool again and select option 1 then select option 2 to import
15. Provide path to each file as prompted