Replacing a vSphere 6.x /7.x/8.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate
search cancel

Replacing a vSphere 6.x /7.x/8.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

book

Article ID: 316601

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a VMware vSphere 6.x/7.x/8.x Machine SSL certificate with a Custom Certificate Authority (CA) Signed Certificate:

Notes:
  • For vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
  • For vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, this task must performed on each machine.
  • VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.


Environment

VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x

Resolution

If Microsoft Certificate Authority is not yet configured, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009).

 
To replace the Machine SSL certificate with the Custom CA certificate:
  1. Launch the VMware Certificate Manager:

    vCenter Server 6.x/7.x/8.x Appliance:
    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.x/7.x/8.x:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    Note: It is important to be logged in as an administrator or to "Run as Administrator" if user access control is enabled.
  2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
     
  3. Provide the [email protected] password when prompted.
     
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
     
  5. Enter the directory in which you want to save the certificate signing request and the private key.

    Note:
    • Refer to the below information to enter values for CSR generation.

Country      : Two uppercase letters only (Eg. US), the country where your company is located.
Name         : FQDN of the vCenter Server
(Note: This will be your Certificate Subject Alternate Name)
Organization : Company Name
OrgUnit      : The name of your department within the organization. Example: "IT"
State        : The state/province where your company is located
Locality     : The city where your company is located.
IPAddress    : IP Address of vCenter Server, this field is Optional
Email        : Email Address
Hostname     : FQDN of vCenter Server(This field accepts multiple entries separated by comma.
(For example: VCSA1.vsphere.local,vcsa1,192.168.0.51)
VMCA Name    : (Note: FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN))

  • Note: Make sure the Primary Network Identifier (PNID) matches the Hostname
    • To obtain the PNID and hostname please refer to the following command for the appliance and Windows respectively:
      • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f
      • "C:\Program Files\VMware\vCenter Server\vmafdd\" vmafd-cli.exe get-pnid --server-name localhost && hostname
         
    • In vSphere 6.0 Update 3, provide the Host Name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
  1. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
  2. Return to the vSphere 6.x/7.x/8.x Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

    Note
    : If using a chain of Intermediate CA and Root CA, see Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571) before proceeding.
  3. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

    Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain for certificate+inter(s)+root.

    The machine_name_ssl.cer should be a complete chain file similar to:
    -----BEGIN CERTIFICATE-----
    MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
    CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
    Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
    SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
    NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
    ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
    4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----

    For example:

vCenter Server Appliance

Provide a valid custom certificate for Machine SSL.

File : /tmp/ssl/machine_name_ssl.cer
 

Provide a valid custom key for Machine SSL.

File : /tmp/ssl/machine_name_ssl.key

 

Provide the signing certificate of the Machine SSL certificate.

File : /tmp/ssl/Root64.cer

 

Windows vCenter Server:

Provide a valid custom certificate for Machine SSL.
File : C:\ssl\machine_name_ssl.cer

Provide a valid custom key for Machine SSL.
File : C:\ssl\machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.
File : C:\ssl\Root64.cer

  1. Answer Yes (Y) to the confirmation request to proceed.

    Notes:
  • When Certificate Manager prompts for the certificate, Enter the proper value for VMCA Name enter the Root Cert Name (That is Issuer Cert CA Common Name).
  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If running an external Platform Services Controller (deprecated in 6.7.x), a restart of the services on the external vCenter Server 6.x is needed and then proceed with replacing the Machine SSL of the vCenter Server 6.x.




Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ
How to use vSphere 6.x Certificate Manager
How to regenerate vSphere 6.x certificates using self-signed VMCA
Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
Certificate Management Overview
Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate
"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Error when uploading files to vCenter Server Appliance using WinSCP
Replacing default certificates with CA signed SSL certificates in vSphere 6.x
Replacing certificates using VMware vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0
Obtaining vSphere certificates from a Microsoft Certificate Authority