Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate
search cancel

Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

book

Article ID: 316601

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a vCenter Machine SSL certificate with a Custom Certificate Authority (CA) signed certificate:

Notes:
  • For vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
  • For vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, this task must performed on each machine.
  • VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.

Resolution

If using Microsoft Certificate Authority for the custom machine cert, and it is not yet configured with a template to use, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x.

  1. Launch the VMware Certificate Manager:

    vCenter Server 6.x/7.x/8.x Appliance:
    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.x:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

    Note: It is important to be logged in as an administrator or to "Run as Administrator" if user access control is enabled.

  2. Select Option 1 (Replace Machine SSL certificate with custom certificate).
     
  3. Provide the [email protected] password when prompted.
     
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
     
  5. Enter the directory in to save the certificate signing request and the private key.

    Note:
    • Refer to the below information to enter values for CSR generation.

Country:           Two uppercase letters only (Eg. US), the country where the company is located.
Name:              FQDN of the vCenter Server (Note: This will be the Certificate Subject Alternate Name)
Organization:   Company Name
OrgUnit:           The name of the department within the organization. Example: "IT"
State:               The state/province where the company is located
Locality:           The city where the company is located.
IPAddress:       IP Address of vCenter Server, this field is optional
Email:              Email Address
Hostname:       FQDN of vCenter Server (This field accepts multiple entries separated by comma. For example: VCSA1.vsphere.local,vcsa1,ip address of vCenter Server)
VMCA Name:  (Note: FQDN of vCenter Server with VMCA - This will usually be the External PSC or VC with Embedded PSC FQDN)

    • Make sure the Primary Network Identifier (PNID) matches the Hostname.
      • To obtain the PNID and hostname please refer to the following commands:

Appliance

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

Windows

"C:\Program Files\VMware\vCenter Server\vmafdd\" vmafd-cli.exe get-pnid --server-name localhost && hostname

    • In vSphere 6.0 Update 3, provide the host name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
  1. Provide the vmca_issued_csr.csr to the Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority.

    Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP....

  2. Return to the vCenter server Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

    Note    : If using a chain of Intermediate CA and Root CA, see "Operation failed, performing automatic rollback" error when Certificate Manager fails at 0% replacing certificates before proceeding.

Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain (leaf) from top down, including machine, inter ca(s), and root certs, in proper order.

The machine_name_ssl.cer should be a complete chain file similar to:

-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----

 

For example:

vCenter Server Appliance

Provide a valid custom certificate for Machine SSL.

File : /tmp/ssl/machine_name_ssl.cer

Provide a valid custom key for Machine SSL.

File : /tmp/ssl/machine_name_ssl.key


Provide the signing certificate of the Machine SSL certificate.

File : /tmp/ssl/Root64.cer

Windows vCenter Server:

Provide a valid custom certificate for Machine SSL.
File : C:\ssl\machine_name_ssl.cer

Provide a valid custom key for Machine SSL.
File : C:\ssl\machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.
File : C:\ssl\Root64.cer

  1. Answer Yes (Y) to the confirmation request to proceed.

    Notes:
  • If running an external Platform Services Controller (deprecated in 6.7.x), a restart of the services on the external vCenter Server 6.x is needed and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ
How to use vSphere Certificate Manager to Replace SSL Certificates
Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
Certificate Management Overview
Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate
"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B
Operation failed, performing automatic rollback" error when Certificate Manager fails at 0% replacing certificates
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x
Obtaining vSphere certificates from a Microsoft Certificate Authority

Powered by Wolken Software