• This task replaces the VMCA Root Certificate with a custom signing certificate and replaces the MachineSSL and Solution User certificates with new certificates issued by this custom signing certificate.
• If you are running an external Platform Services Controller, you need to run the vSphere 6.0 Certificate Manager on the external vCenter Server 6.0 and perform these tasks:
• Replace Machine SSL certificate with VMCA Certificate
• Replace Solution user certificates with VMCA certificates
• If you have multiple Platform Services Controllers, you need to perform the preceding tasks on all Platform Services Controllers if you need to have trusted certificates for all vCenter Server 6.0 installations.
• In some cases it may be required to distribute the Intermediate-CA certificate through the domain for the vSphere Client to automatically trust the certificates created for ESXi hosts.
• When configuring certificates in a HA environment behind a load balancer perform the below steps on each PSC ignoring the load balance.

• vSphere 6.0 with VMCA as an Intermediate CA and external Platform Service Controller
• vSphere 6.0 with VMCA as an Intermediate CA and embedded Platform Service Controller

vSphere 6.0 with VMCA as an Intermediate CA and embedded Platform Service Controller

1. Launch the vSphere 6.0 Certificate Manager using:
   
   
   vCenter Server Appliance:
   
   /usr/lib/vmware-vmca/bin/certificate-manager
   
   Windows vCenter Server:
   
   C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
   
   
2. Select Option 2 (Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
3. Provide the [email protected] password when prompted.
4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
5. Provide a directory to save the certificate signing request and private key to.
   
   Note: The files created will have the names root_signing_cert.csr and root_signing_cert.key
   
   
6. Provide the root_signing_cert.csr to your Certificate Authority to generate a Subordinate Signing Certificate, name the file root_signing_cert.cer.
   
   Note: To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
   
   
7. Using a plain text editor, create a full chain of root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into the text file.
   
   For example:
   
   -----BEGIN CERTIFICATE-----
   MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
   CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
   Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
   SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
   NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
   ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
   4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
   K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
   GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
   /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
   TLqwbQm6tNyFB8c=
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
   K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
   GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
   /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
   TLqwbQm6tNyFB8c=
   -----END CERTIFICATE-----
   
   Where the first certificate is the contents of root_signing_cert, next is any Intermediate Certificates, and last is the Root Certificate.
   
8. Save this file as root_signing_chain.cer.
9. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
10. Provide the full path to the root_signing_chain.cer and root_signing_cert.key.
    
    For example:
    
    vCenter Server Appliance:
    
    Please provide valid custom certificate for Root.
    File : /tmp/ssl/root_signing_chain.cer
    
    Please provide valid custom key for Root.
    File : /tmp/ssl/root_signing_cert.key
    
    Windows vCenter Server:
    
    Please provide valid custom certificate for Root.
    File : C:\ssl\root_signing_chain.cer
    
    Please provide valid custom key for Root.
    File : C:\ssl\root_signing_cert.key
    
    
11. Answer Yes (Y) to the confirmation request to proceed.
12. If this is the first time, custom certificates are implemented on this system, you will be asked to configure the certool.cfg. On subsequent tasks, you will be offered to re-use these values.
    
    Note: These values are used to define certificates issued by VMCA.
    
    
13. Enter the values for these as prompted by the VMCA:
    
    Please configure certool.cfg file with proper values before proceeding to next step.
    Press Enter key to skip optional parameters or use Default value.
    Enter proper value for 'Country' [Default value : US] :
    Enter proper value for 'Name' [Default value : Acme] :
    Enter proper value for 'Organization' [Default value : AcmeOrg] :
    Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
    Enter proper value for 'State' [Default value : California] :
    Enter proper value for 'Locality' [Default value : Palo Alto] :
    Enter proper value for 'IPAddress' [optional] :
    Enter proper value for 'Email' [Default value : [email protected]] :
    Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :