This post will walk through the process of replacing the default self-signed certificates in vCenter with SSL certificates signed by your own internal Certificate Authority (CA). In previous versions of vSphere the certificate replacement procedure was so complex that many administrators ignored it completely. Now with the certificate tool improvements in vSphere 6.x, and the ever increasing security threat of todays digital world, applying SSL certificates takes on an enhanced significance for verifying servers, solutions, and users are who they say they are.
The procedure outlined below is specific to installing Microsoft intermediate CA signed certificates on VCSA 6.5 with embedded PSC, protecting us against man in the middle attacks with a secure connection which we can see in the screenshot below. From v6.0 onwards the VMware Certificate Authority (VMCA) was also introduced, for more information on using the VMCA see this blog post, or to read how to use the VMCA as an intermediate CA see here. VMware documentation for replacing self-signed certificates can be reviewed from this KB article.
Before beginning the replacement certificate process ensure you have a good backup, and snapshot of the VCSA. The following links are the official VMware guides and this blog post provides a good overview of the certificates we’re actually going to be replacing. Replacing default certificates with CA signed SSL certificates in vSphere 6.x (2111219), Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277), How to replace the vSphere 6.x Solution User certs with CA signed certs (2112278).
The first thing we need to do is generate a Certificate Signing Request (CSR). Open an SSH connection to the VCSA using an SSH client such as Putty, and login as root – if you need to enable SSH you can do so from the VAMI (https://vCenterIPorFQDN:5480) under Access; enable both SSH Login and Bash Shell. Run the following command to open the VMware built in Certificate Manager tool:
Select the appropriate option. In this case we first want to replace the machine SSL certificate with a custom certificate, option
1. When prompted enter the SSO administrator username and password. Enter
1 again to generate certificate signing request(s) and Key(s) for machine SSL certificate, and enter the output directory. In the example below we are using the
/tmp directory. Fill in the required values for the certool.cfg file.
The CSR and key are generated in the location specified. Change the shell to /bin/bash using
chsh -s "/bin/bash" root and open an SCP connection to the VCSA using WinSCP. Copy the vmca_issued_csr.csr file to your local machine, you can use Notepad to view the contents of the file. Leave the WinSCP session open as we’ll need it to copy the certificate chain back to the VCSA.
The next step is to use the CSR to request a certificate from your internal Certificate Authority (official KB here). A Microsoft CA template needs creating with the settings specified here (official KB here) before requesting the certs. Once this is done open a web browser to the Microsoft Certificate Services page (normally https://CAServer/certsrv) and select Request a Certificate.
Then we want to Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. The next page allows us to enter the CSR generated earlier to request a certificate with the pre-configured vSphere 6.5 certificate template.
Click Submit and then select Base 64 encoded and Download certificate and Download certificate chain. A .cer file will be downloaded, I have renamed this machine_name_ssl.cer, and a .p7b. Double click the .p7b file to open in certmgr, locate and right click the root certificate, select All Tasks, Export. Export the root certificate in Base-64 encoded X.509 (.CER) format, in this example I have named the file Root64.cer. Using WinSCP copy the machine and root certificate files to the VCSA.
Go back to Certificate Manager and enter
1 to continue to importing custom certificate(s) and key(s) for machine SSL certificate. Enter the file for the machine SSL certificate we copied, I have used
/tmp/machine_name_ssl.cer. Enter the associated custom key that was generated with the CSR request, in this case
/tmp/vmca_issued_key.key. Finally, enter the signing certificate of the machine SSL certificate, in this case
/tmp/Root64.cer. When prompted enter
y to replace the default machine SSL certificate with the custom certificate.
The certificate will now be installed, when finished a success message will be displayed. If certificate installation fails at 0% see this KB article.
To verify the machine certificate open a web browser to the vCenter FQDN, the connection will now show secure. Depending on the browser used you can view the certificate properties to verify it is correct, alternatively browse to https://vCenterFQDN/psc and log in with an SSO administrator account. Open Certificate Management and Machine Certificates, select the installed machine certificate and click Show Details, verify the certificate properties are correct.
Solution User Certificates
Repeat the steps above for the solution user certificates (official KB here). Replacing the solution user certificates may break some external plugins, such as SRM, in which case you should review this KB article for corrective action. To recap:
/usr/lib/vmware-vmca/bin/certificate-manager. This time select option
5 replace solution user certificates with custom certificates. Generate the CSRs and keys, you will notice that for the solution user certs 4 CSR and key files are created; machine, vsphere-webclient, vpxd, and vpxd-extension.
Using WinSCP copy the files to your local machine and repeat the certificate request process from the Microsoft Certificate Services page. Copy the new certificates to the VCSA and repeat the install process. Solution User certificates can be viewed on the PSC web interface under Certificate Management, Solution User Certificates.
5 thoughts on “Installing vCenter Internal CA signed SSL Certificates”
This was just timely as i just upgraded to 6.5. Do you happen to have anything on how to update\push cert created and replaced for VCSA to to all ESXi hosts connected to VCSA. Thank you so much for putting this out there it is very well put together and very easy to follow compared to other stuff i found out there.
I have followed this to the letter, but get an “error 20 at 0 depth lookup: unable to get local issuer certificate. Any help would be greatly appreciated.
LikeLiked by 1 person
the root certificate has to include the intermediate certificate. Create one like the machine that combines the 3 certs. in this case you have intermediate + root
machine_name_ssl.cer should have the full chain in it. See Step 8 of https://kb.vmware.com/s/article/2112277.
I’ve read many directions on how to do this task, but none of them explains how to upload the certificate to the VCSA so that you can point to it.