vCenter Server 6 – Replacing SSL certificates with Custom VMCA
In earlier post How to replace VMware ESXi 6.* SSL certificateI described how to replace VMware ESXi 6.* SSL certificate. This post will focus on replacing SSL certificates with Custom VMCA in vCenter Server 6.* on Windows.
- Certificate Authority.
- Template for VMware in Certificate Authority – follow VMware Knowledge Base Article for details: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
- XCA – Optional to store all certificates, requests and private keys.
I am not going to copy&paste VMware documentation - it is easier to read it. Below you will find a list of interesting documentation (in my opinion of course) to read:
Today we will use VMware Certificate Authority (VMCA) in custom topology. This means VMCA will be used only to store certificates for all vCenter Server solutions and all certificate replacement has to be done manually.
Replacing SSL certificates with custom VMCA
Replacing vCenter Server machine_ssl certificate
- Login to vCenter Server and start command line.
- In command line go to directory where you installed vCenter Server 6.. In my case it is default directory: **C:\Program Files\VMware\vCenter Server\vmcad*.
- Start tool called certificate-manager and select operation 1.
- Provide valid SSO password and hit Enter. Choose Operation 1 - Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate and hit Enter.
- Enter directory path where CSR and private key will be saved. For simplicity I created directory C:\SSL.
- Certificate Signing Request and private key to machine_ssl was generated successfully.
- I am not going to bore you to death by approving all certificates and documenting it. Check my earlier post where I did it - How to replace VMware ESXi 6.* SSL certificate.
- Once certificate is signed and saved to local disk we return to certificate-manager tool to replace certificates. Click 1 and hit Enter.
- As requested provide path to certificate, certificate signing request and root certificate authority certificate. Hit Enter and select Y to continue operation of replacing machine_ssl certificate.
- Certificate manager will replace machine_ssl certificate and restart vCenter Server services. It takes a while to do it so do not worry. If everything was configured correctly operation will succeed.
Replacing vCenter Server solution user certificates (machine, vpxd, vpxd-extension, vsphere-webclient)
We will continue with replacement of other certificates.
- Start certificate manager and select option 5 - Replace Solution user certificates with Custom Certificate.
- Provide valid SSO password and hit Enter.
- Select option 1 to generate CSRs and provide directory location where CSRs will be saved.
- Sign all CSRs in your certificate authority - see How to replace VMware ESXi 6.* SSL certificate link.
- Once signed we can start to replace all solution user certificates.
- Return to certificate manager and choose option 1 to continue certificate replacement. Provide path to all certificates, private keys and root certificate authority certificate.
- Hit Enter and select Y to continue. vCenter Server solution user certificates will be stopped and vCenter Server services will be restarted. Once completed we finished our task to replace vCenter Server SSL certificates.
- To check if certificate was replaced successfully simply check certificate in vSphere Web Client.
One of the most important things to change right after replacing certificates is to change vCenter Server certificate mode from default vmca to custom. In order to do that follow VMware documentation: Change the Certificate Mode. If you will not change it you will have problems with High Availability - in short words, vCenter Server will not trust your ESXi hotsts SSL thumbprints and HA will not work.
This is what you will see in HA information field.
From my experience there are several things that you have to be really careful about:
- Correct template of certificate in your certificate authoriy
- Certificate authority can’t overwrite any field in certificate. If it will be done vCenter Services will not start properly.
- You will not see vsphere-webclient certificate SSL certificate browser. This is ok - by design machine_ssl certificate is used as reverse proxy. Read more: Where vSphere 6.0 Uses Certificates.