Obtaining vSphere certificates from a Microsoft Certificate Authority
search cancel

Obtaining vSphere certificates from a Microsoft Certificate Authority

book

Article ID: 315372

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The purpose of this article is the explain how to provide a certificate signing request (CSR) to a Microsoft Certificate Authority (CA) and generate a certificate for PSC/VCSA.

Environment

VMware vCenter Server 6.7.x

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Resolution

Process to obtain vSphere certificates from a Microsoft Certificate Authority:

Note: The VMCA requires that the certificate have a valid date of at least 24 hours prior.
  1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
  2. Click the Request a certificate (.csr ) link.
  3. Click advanced certificate request.
  1. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
  2. Open the certificate request (typically vmca_issued_csr.csr - refer to Step 6 in KB Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate in a plain text editor and copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
 
Example:

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>        
-----END CERTIFICATE-----
  1. Select the appropriate Certificate Template. For more information, see:

    Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere
  1. Click Submit to submit the request.
  2. Click Base 64 encoded on the Certificate issued screen.
  3. Click the Download Certificate link.
  4. Save the certificate as rui.crt in the appropriate c:\certs\service directory.
  5. Repeat Steps 2 to 10 for each additional services/certificates.
  6. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
  7. Select the Base 64 option.
  8. Click the Download CA Certificate chain link.
  9. Save the certificate chain as cachain.p7b in the c:\certs folder.
  10. Double-click the cachain.p7b file to open it in the Certificate Manager.
  11. Navigate to C:\certs\cachain.p7b > Certificates.
  12. Right-click the certificate listed and click All Actions > Export.
  13. Click Next.
  14. Select Base-64 encoded X.509 (.CER), and then click Next.

    Note: Step 21 assumes there are no intermediate certificates in the Certificate Authority. If there are two or more levels of Certificate Authorities, before exporting the certificate into Base-64 encoded X.509 (.CER), if there are multiple certificates on the.p7b file, they cannot be exported to Base64 at the same time; they must be exported each to an intermediate certificate as each a separate files. For example, create files named C:\certs\interm64-1.cer, C:\certs\interm64-2.cer, C:\certs\Root64.cer. After completion, concatenate the certificates into a single file named cachain.cer.

    -----BEGIN CERTIFICATE-----
    <alphanumeric certificate characters>       <-----Intermediate 1 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Intermediate 2 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Root Certificate
    -----END CERTIFICATE-----

    Note: There must be no text before the -----BEGIN CERTIFICATE----- or after the -----END CERTIFICATE----- in the .crt or .cer files.
     
  15. Save the export to C:\certs\Root64.cer and click Next.
  16. Click Finish.

Adding a "certificate chain" as Machine SSL certificate:

When using an external CA, the MACHINE_SSL_CERT needs to contain all certificate starting from the root, like:

  • machine_ssl.cer: This is a complete chain of leaf + intermediateCAs(if applicable) + rootCA
  • Root64.cer: This is a chain of intermediateCAs(if applicable) + RootCA

Then the Certificate Manager CLI Tool requests those two chain files, along with the key (Refer to Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate for Certificate Manager CLI)

     Please provide a valid custom certificate for Machine SSL.
     File : /tmp/ssl/machine_name_ssl.cer

     Please provide a valid custom key for Machine SSL.
     File : /tmp/ssl/machine_name_ssl.key

     Please provide the signing certificate of the Machine SSL certificate
     File : /tmp/ssl/Root64.cer

The full certificate chain is installed into the MACHINE_SSL_CERT VECS
The chain of CAs is installed in TRUSTED_ROOTS VECS

The reason for the full certificate chain in the MACHINE_SSL_CERT is so that the product/server presents the full SSL Chain when accessed via a browser/client and is required especially if a customer is using any Offline CA where an Intermediate CA is not installed in their Browser/Client OS Certificate Store.

Note: This is not recommended by VMware Engineering apart from cases where the customer uses offline CA. All TLS connections made via certificate added this way will be considered secure even if that may not be the case.

Powered by Wolken Software