Replace vCenter Server SSL certificate with CA signed certificate

Loading

In this blog, we will replace the self-signed vCenter on vCenter 7. X with a valid certificate from a Microsoft Certificate Authority (CA).

1. Configure Certificate Authority Server in Windows 2022

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

2. For creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x, open Cert Manager > Certificate Templates> Manage > Choose Web Server> right-click and choose Duplicate Template.

3 In the Duplicate Template window, select Windows 7 / Server 2008 R2 Enterprise for backward compatibility. if you need more security and encryption level higher on your cert choose the higher version of OS from the list. For backward compatibility choose a lower OS version.

4. Under the general tab, give a name for our template

5. Under Extensions tab > Application Policies > Click Server and Client Authentication and click Remove, then OK.

6. Click Basic Constraints > Enable this extension check box and click OK.

7. Next Go to Key Usage, click check on Signature is a proof of origin (nonrepudiation) 

8 – Under Subject Name tab > Ensure that the Supply in the request option is selected & Click Apply – OK

9 – Open Server Manager, go to Tools choose Certificate Authority. On the Certificate Templates right click, go to New > Certificate Template to Issue.

10 – Select the certificate template created earlier to enable in Certificate Authority and click OK.

That’s everything we need to do to create a certificate template.

Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

11. In order to enable us to upload and download contents into the vCSA via SCP, login into the vCSA appliance and change the shell as shown.

 chsh -s  /bin/bash root 

12. Run the command below to launch the certificate manager

/usr/lib/vmware-vmca/bin/certificate-manager

13. Authenticate using your Admin SSO Credentials (non-AD one) and choose option 1 to replace the machine SSL certificate with a custom certificate and choose a directory to store our certificates onto such as /root.

14. Provide these details to the vSphere certificate manager

  • Country: Two-letter country code
  • Name: FQDN of the vCSA
  • Organization: Your organization name
  • Organizational Unit: Name of your unit/department
  • State: State
  • Locality: City
  • IPAddress(optional): vCSA IP address
  • Email: your email address
  • Hostname: FQDN of your vCSA
  • VMCA Name: FQDN of your vCSA

15. The certificate request (.CSR) is generated and this now needs to be signed by our external CA

16. via WINSCP, copy vmca_issued_csr.csr to your local desktop

17. Open the csr file and copy all the contents

18. Go to your Microsoft Certificate Authority Web-Enrollment (http://hostname/certsrv) to request a certificate

19.Submit an advanced certificate request.

20. Copy the.CSR file output here and choose the template we created earlier

21- Click Submit and our certificate should be issued by the CA. Choose Base 64 and Download the certificate chain which will have the Root CA and also the signed certificate for our vCSA.

21- Open the certnew.p7b file, choose the vCenter and export the file and name it as cert.cer

22- Export as cert.cer

23- Likewise, choose the root CA and export the file and name it as root.cer

24- Our signed vCSA cert and root CA cert is now ready and this will need to be moved back to the vCSA appliance.


25. Upload your Machine certificate (cert.cer) and Root CA certificate (root-ca.cer) using WinSCP to the vCSA /root folder:

26. Run the command again and Choose Option 1 to Continue replacing the machine SSL with Custom Cert. In the submenu, choose to import custom certificate(s) and key(s) for the Machine SSL certificate

27- Press Y to continue replacing Machine SSL cert using custom cert and provide certificate file paths as below

Provide custom machine certificate:
 cert.cer

Provide custom key for machine certificate:
 vmca_issued_key.key 

Provide the Root CA certificate:
 root-ca.cer 

27- Press Y to continue replacing Machine SSL cert using custom cert

28. This may take a couple of minutes for vCSA to replace certificates and update all services.

29. Once completed, you are finished. vCenter Server Appliance should now be logging in via a signed Cert

30. Finally, ensure to add your Root CA certificate to a trusted root store in MMC or via Group Policy to let your browser know it’s a safe CA when your client machines access the vCenter URL.

References

How to use vSphere Certificate Manager to Replace SSL Certificates

Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

Obtaining vSphere certificates from a Microsoft Certificate Authority

(Visited 84 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.