How to replace the vSphere 6.0 Solution User certs with CA signed certs
search cancel

How to replace the vSphere 6.0 Solution User certs with CA signed certs

book

Article ID: 319494

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace the vSphere 6.0 Solution User certificate with a custom Certificate Authority (CA) signed certificates.
 
Notes:
  • The vSphere 6.0 Solution Users use SSL Certificates for internal communication and endpoint registration.
  • If you have a vCenter Server with an embedded Platform Services Controller (PSC), there are four Solution User Certificates:
     
    • machine
    • vpxd
    • vpxd-extension
    • vsphere-webclient
       
  • If you have vCenter Server with an external Platform Services Controller, each vCenter Server 6.0 has four Solution User Certificates as mentioned previously and each external Platform Services Controller has one Solution User named machine.


Environment

VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
 
Important:
  • These certificates are not issued by VMCA. They are issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller, you must restart the services on the external vCenter Server 6.0 and then proceed with replacing the Solution User Certificates of the vCenter Server 6.0.
To replace vSphere 6.0 Solution Users with custom CA signed certificates:
  1. Launch the vSphere 6.0 Certificate Manager:

    vCenter Server 6.0 Appliance:

    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.0:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
     
  2. Select Option 5 (Replace Solution user certificates with Custom Certificates).
     
  3. Type the [email protected] password when prompted.
     
  4. Select Option 1(Generate Certificate Signing Request(s) and Key(s) for Solution User certificates).
     
  5. Select a directory to save the certificate signing requests and private keys.

    Note
    : The files created have these names. An external PSC only generates:
     
    • machine.csr
    • machine.key
       
  6. Provide the preceding CSRs to your Certificate Authority to generate a Solution User Certificate and name the files machine_name.cer, vpxd.cer, vpxd-extension.cer, vsphere-webclient.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Notes:
     
  7. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Solution User Certificates).
     
  8. Provide the full path to each of these Certificates and Keys from Step 5 including the issuing CA certificate, Root64.cer.
     
    • machine.cer
    • machine.key
    • vpxd.cer
    • vpxd.key
    • vpxd-extension.cer
    • vpxd-extension.key
    • vsphere-webclient.cer
    • vsphere-webclient.key
    • Root64.cer
       
    Note: If you are using a chain of Intermediate CA and Root CA, see the Knowledge Base article Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571).

    Example for vCenter Server Appliance:

    Please provide valid custom certificate for solution user store : name
    File : /tmp/ssl/name.cer
    Please provide valid custom key for solution user store : name
    File : /tmp/ssl/name.key


    Where, <name> is one of the certificate mentioned in step 8.

    Example for Windows vCenter Server:

    Please provide valid custom certificate for solution user store : name
    File : C:\ssl\name.cer
    Please provide valid custom key for solution user store : name
    File : C:\ssl\name.key


    Notes:
     
    • An external Platform Services Controller has only one Solution User Certificate to replace.
    • For vSphere 6.0 Update 1 and later, there are 2 additional certificates for the VAMI interface. These certificates are:

      vsphere-webclient.csr
      vsphere-webclient.key

       
  9. Type Yes (Y) to the confirmation request to proceed.
  10. Update the ESX Agent Manager.

    Note: If the update fails, see the Knowledge Base article After replacing the vCenter Server certificates in vSphere 6.0, the ESX Agent Manager solution user fails to log in (2112577) to resolve the issue.


Additional Information