info@vtechsummary.com

How to Replace Default VMware vCenter SSL Certificate?

To improve security in your virtualized environment, it is advisable to use the signed certificates because a ‘self-signed’ certificate will not be trusted by default in its communications with other systems.

In this post, I will be sharing the information on replacing self-signed certificates with Certificate Authority (CA) signed SSL certificates in a VMware vCenter environment. VMware has prepackaged the vSphere Certificate Manager utility to automate the replacement process.

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates, and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller.

Generate a certificate request

Step 01. Log in to vCenter Server (VCSA) as Root access through SSH, then launch Bash environment by typing Shell.

Step 02.  Run the below command and select the operation 1 option.

/usr/lib/vmware-vmca/bin/certificate -manager

Step 03. Enter the vCenter Administrator credential and select the number 1 option.

Step 04. Specify fill the following options:

Enter proper value for 'Country': your country in 2 letters
Enter proper value for 'Name': the FQDN of your vCenter
Enter proper value for 'Organization': an organization name
Enter proper value for 'OrgUnit': name of your unit
Enter proper value for 'State': your contry name
Enter proper value for 'Locality': your city name
Enter proper value for 'IPAddress': the vCenter IP address
Enter proper value for 'Email': your email address
Enter proper value for 'Hostname': the FQDN of your vCenter
Enter proper value for 'VMCA Name': the FQDN of your vCenter

Step 05. After once the private Key and the request is Generated select the number 2 option to exit.

Send Certificate Request to CA Server

Step 01. We have to Export the Request and key from the /tmp/ssl in vCenter, and we used WinSCP software for this operation.

Step 02. If when logging in, see below Error, run chsh -s /bin/bash/root and try again to login.

Step 03. Go to the /tmp/ssl path and copy both files in your local system.

Step 04.Login in CA Server and proceed with Certificate Request as follow:

Step 05. Open ‘ vmca_issued_csr.csr ‘ file and copy all content in the Saved Request box. then select Web Service as a certification template and click on Submit.

Step 06. Select Based-64 Encoded option then Download the Certificate. After downloaded, I rename the file to ‘ vcsacert.cer ‘, and I have already Root CA with name ‘ rootca.cer ‘.

Step 07. Login to the vCenter appliance using WinSCP and Copy both above Certificate files to a location. My location is ‘ /tmp/ssl ‘.

Step 08. Again login to VCSA by using SSH and run the below command and select the number 1 option.

/usr/lib/vmware-vmca/bin/certificate -manager

Step 08. Enter the vCenter Administrator credential and select the number 2 option. Add the exported certificate and generated key path from previous steps and Press Y to confirm the change.

Custom certificate for machine SSL: /tmp/ssl/vcsacert.csr

Valid custom key for machine SSL: /tmp/ssl/vmca_issued_key.key

Signing certificate of the machine SSL certificate: /tmp/ssl/rootca.cer

Step 09. It will take little time to complete and you can see the below message:

Status: 100 % Completed [All tasks completed successfully]

Step 10. Now Connect to the vCenter using Web Client and you can see the New Custom Certificate.

The End.

Leave a Reply

Your email address will not be published.