VMware vCenter Replace Machine Certificate With Custom CA

/ October 26, 2020/ Uncategorised, VMware, vSphere

This blog contains the procedure to change the vCenter Machine certificate with your own custom certificate. There are different ways to replace the default certificate and therefore it is quite complex.

Note that the self-signed certificates are valid for a maximum of two years. Those certificates will not be renewed automatically. An expired certificate will result in service interruption.

Summary of actions to take:

  • Create a CSR request
  • Submit the CSR request to the Certificate Authority (CA)
  • Save the chain of the certificate in a separate file
  • Upload the certificate to the vCenter server
  • Run the Certificate manager in order to import the new certificate
  • vCenter services will be restarted

Create a CSR Request

  1. Enable SSH and Bash Shell within the appliance web console https:\\FQDN:5480
  2. Connect with Putty and WinSCP to the vCenter (or other tools)
  3. With WinSCP create a subfolder under /tmp/
  4. With Putty run “/usr/lib/vmware-vmca/bin/certificate-manager”
  5. Go for option “1” “Replace Machine SSL certificate with custom certificate”
/usr/lib/vmware-vmca/bin/certificate-manager
choose option “1”
  1. Choose option 1 “Generate certificate signing request(s) and Key(s) for machine SSL Certificate
  2. Output directory path: /tmp/cert
  3. Specify the properties
PropertyValue
CountryDefault, specify own.
NameFQDN vCenter
OrganizationDefault, specify own.
OrgUnitDefault, specify own.
StateDefault, specify own.
IPAddressIp of the vCenter
HostnameFQDN
VMCA NameFQDN

File are generated at the specified output location. In my case “/tmp/cert”

Submit the CSR request to the Certificate Authority (CA)

  • Download the CSR file (VMCA_Issued_CSR.CSR) with WinSCP
  • Copy the CSR file to the Certificate Authority (CA) or sub CA
  • With cmd run the command “certreq -submit -attrib “CertificateTemplate:WebServer”
  • Select the Certificate Authority
  • Save the Certificate to the temp folder
  • Check the certificate and chain

Save the chain of the certificate in a separate file

  • Export the the CA (Base-64 Encoded)
  • Export the sub CA (if there is a sub ca 😉 )

When all certificates are exported, you’ve got a list of two or three certificates:

  • vCenter certificate
  • CA Certificate
  • Optional sub CA certificate

During the import of the new vCenter certificate you need to import the certificate chain with a single file. Therefore is the next step neccessary with multiple CA’s

When using multiple CA’s Open each certificate with Notepad++ and copy the hole text of the sub CA and paste it within the CA certificate.

Final steps

  1. Upload the Certificate and the Chain to the vCenter Appliance ( in my case the “/tmp/cert” folder
  2. With Putty run “/usr/lib/vmware-vmca/bin/certificate-manager”
    1. Go for option “1” “Replace Machine SSL certificate with custom certificate”
    2. Go for option “2” “Import custom Certificate and key(s) to replace existing machine SSL certificate”
    3. Specify the location of the certificate
    4. Specify the location of the key file
    5. Specify the location of the chain certificate file
TypePath
Machine certificate /tmp/cert/Cert.cer
Key File machine SSL/tmp/cert/vmca_issued_key.key
Chain certificate/tmp/cert/chain.cer

After continue the operation, the vCenter server services will be restarted.

Services will be updated with the new custom certificate, therefore the vCenter server services will be restarted.

Done!!! vCenter server is running again and used the custom certificate

Thanks for reading, it was a pleasure to write about replacing the self-signed certificate.

Greetz, Kevin

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*