Process to obtain vSphere certificates from a Microsoft Certificate Authority:
Note: The VMCA requires that the certificate have a valid date of at least 24 hours prior.
- Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
- Click the Request a certificate (.csr ) link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
- Open the certificate request (typically vmca_issued_csr.csr - refer to Step 6 in KB Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate) in a plain text editor and copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
Example:
-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
- Select the appropriate Certificate Template. For more information, see:
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108)
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009)
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
- Save the certificate as rui.crt in the appropriate c:\certs\service directory.
- Repeat Steps 2 to 10 for each additional services/certificates.
- Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
- Select the Base 64 option.
- Click the Download CA Certificate chain link.
- Save the certificate chain as cachain.p7b in the c:\certs folder.
- Double-click the cachain.p7b file to open it in the Certificate Manager.
- Navigate to C:\certs\cachain.p7b > Certificates.
- Right-click the certificate listed and click All Actions > Export.
- Click Next.
- Select Base-64 encoded X.509 (.CER), and then click Next.
Note: Step 21 assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels of Certificate Authorities, before exporting the certificate into Base-64 encoded X.509 (.CER), if you have multiple certificates on the.p7b file, you cannot export them to Base64 at the same time; you must export each intermediate certificate to a separate file. For example, create files named C:\certs\interm64-1.cer, C:\certs\interm64-2.cer, C:\certs\Root64.cer. After completion, concatenate the certificates into a single file named cachain.cer.
-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Intermediate 1 Certificate
SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate 2 Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
Note: There must be no text before the -----BEGIN CERTIFICATE----- or after the -----END CERTIFICATE----- in the .crt or .cer files.
- Save the export to C:\certs\Root64.cer and click Next.
- Click Finish.
Adding a "certificate chain" as Machine SSL certificate:
When using an external CA, the
MACHINE_SSL_CERT needs to contain all certificate starting from the root, like:
- machine_ssl.cer: This is a complete chain of leaf + intermediateCAs(if applicable) + rootCA
- Root64.cer: This is a chain of intermediateCAs(if applicable) + RootCA
Then the Certificate Manager CLI Tool requests those two chain files, along with the key (Refer to
Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate for Certificate Manager CLI)
Please provide a valid custom certificate for Machine SSL.
File :
/tmp/ssl/machine_name_ssl.cer Please provide a valid custom key for Machine SSL.
File :
/tmp/ssl/machine_name_ssl.key Please provide the signing certificate of the Machine SSL certificate
File :
/tmp/ssl/Root64.cerThe full certificate chain is installed into the
MACHINE_SSL_CERT VECSThe chain of CAs is installed in
TRUSTED_ROOTS VECSThe reason for the full certificate chain in the
MACHINE_SSL_CERT is so that the product/server presents the full SSL Chain when accessed via a browser/client and is required especially if a customer is using any Offline CA where an Intermediate CA is not installed in their Browser/Client OS Certificate Store.
Note: This is not recommended by VMware Engineering apart from cases where the customer uses offline CA. All TLS connections made via certificate added this way will be considered secure even if that may not be the case.