vCenter Server 6.* – Replacing SSL certificates with Enterprise VMCA

Security, VMware
Page content

vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - logo

In my earlier post vCenter Server 6.* – Replacing SSL certificates with Custom VMCA I described how you can replace SSL certificates with Custom CA certificates. Today in post vCenter Server 6. – Replacing SSL certificates with Enterprise VMCA* I would like to guide you through replacement of VMCA self-signed SSL certificate with Microsoft CA certificates. This will allow you to take advantage of VMCA as a single point of certificate management in your environment while ensuring that

Prerequisites

VMCA Topologies

As mentioned in my earlier post I suggest to read about VMCA topologies from which you can choose from. Below you will find two best articles to familiarize yourself:

Replacing SSL certificates with Enterprise VMCA

  1. Before we will start with certificate replacement I suggest to begin with editing file certool.cfg in C:\Program Files\VMware\vCenter Server\vmcad. In this file we will provide all information needed to issue certificate.
  2. Country = US
  3. Name    = CA
  4. Organization = VMware
  5. OrgUnit = VMware
  6. State = California
  7. Locality = Palo Alto
  8. IPAddress = 127.0.0.1
  9. Email = email@acme.com
  10. Hostname = server.acme.com
  11. This is how my certool.cfg looks like.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 1

  12. Login to your vCenter Server and start command prompt as administrator.
  13. Change directory to vCenter Server installation directory. In my case I have default path which is: C:\Program Files\VMware\vCenter Server\vmcad.
  14. Start script: certificate-manager.bat
  15. Select option 2 and enter Y to use previously edited certool.cfg.
  16. Enter administrator@vsphere.local as username and provide password to this account.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 3

  17. Immediately we have to configure first of certificate machine_ssl. It is kind of strange because we were asked in previous step if we want to generate all certificates using configuration file. If you edited certool.cfg file before you just need to hit enter several times. Pay attention that at the end you have to provide FQDN of vCenter Server.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 3

  18. Same steps have to be done for other certificates:
  19. machine_ssl - was created in previous step
  20. machine
  21. vpxd
  22. vpxd-extension
  23. vsphere-webclient
  24. At the end we have to export Certificate Signing Request and Key for VMCA Root certificate. Select 1.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 5

  25. Enter directory where all files will be stored. In my cases it is C:\SSL. If you will be asked to reconfigure certool.cfg you can skip it.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 6

  26. Once we have files let’s sign them with Certificate Authority.
  27. I am using Internet Explorer to sign certificate. Go to https://CA-FQDN/certsrv.
  28. Click Request a certificate.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 7

  29. Choose advanced certificate request.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 8

  30. Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 9

  31. Paste previously generated CSR to field and as certificate template select Sub CA template previously created and click Submit.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 10

  32. Once the certificate is approved export it as Base 64 encoded. To do it simply click Download certificate. Export Root CA certificate, because we will need it later on.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 11

  33. Next step is to combine Root CA certificate (from your Certificate Authority) with Sub CA certificate. Below you will find format how to do it. 
    —-BEGIN CERTIFICATE—-
Sub Certificate Authority certificate
—-END CERTIFICATE—-
—-BEGIN CERTIFICATE—-
Root Certificate Authority certificate
—-END CERTIFICATE—-
  34. if everything done correctly you should see that chain is working fine.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 12

  35. Next step is to import combined certificates (I called them chain certificate) to VMware Certificate Authority (VMCA). Return to certificate-manager script and select option 1.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 13

  36. Provide path to chain certificate and private key.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 14

  37. Choose Y to replace Root Certificate and all other certificates.
  38. If all steps were followed carefully all certificates will be replaced. It takes few minutes to complete.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 15

  39. Once logged in to vSphere Web Client you can easily check that certificate was replaced.

    vCenter Server 6.* - Replacing SSL certificates with Enterprise VMCA - 16

Summary

This post is quite long, but I hope it will be useful to all of those who can use VMware Sub CA in your environment. For those who have to use VMCA in custom mode you can simply follow my post how to replace SSL certificates with custom VMCA mode vCenter Server 6.* – Replacing SSL certificates with Custom VMCA.