Use vSphere Certificate Manager to Replace SSL Certificates

Loading

Implement Default VMCA Certificates (use Option 4 )

Prior to doing a certificate replacement make sure you do a vCenter clone and keep the clone copy ready just in case the certificate replacement doesn’t go well as planned. All you will then need to do is just shut down the failed vCenter and power on the cloned vCenter.

Certificates issued with Option 4 aren’t trusted outside the vSphere environment and are regenerated and issued by the VMCA and stored by the vSphere Endpoint Certificate Store (VECS).

This facility is used when implementing custom CA certificates with AD CA is not an option

As seen the certificate is not trusted so we will use a VMware generated cert to make URL trusted.

We could regenerate a new VMCA root certificate by launching the vSphere Certificate Manager and executing the following commands:

  •  /usr/lib/vmware-vmca/bin/certificate-manager

The same can be done via the vCenter UI by logging into the vCenter > Administration > Certificate Authority > Regenerate VMCA Root

In this demo, I’m just to use the default root certificate available and proceed

Download the Trusted root ( CA certificate)

It will download a file and we need to change it to zip format

Extract the contents and we will be having these files.

Login to your jumpstation & launch Google chrome, search for Certificates in the Chrome tab – Go to Trusted Root CA Auth and import the file as shown

Choose the cert file

Accept the cert file

Our cert generated by vCSA is now imported

Our HTML UI will no longer show the privacy bar and our browser is accessing the URL via a trusted cert

(Visited 139 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.

Leave a Reply