VMware vCenter from version 6.0 onwards uses five internal certificates, which are ESXi, Machine SSL, Solution User certificates, vCenter Single Sign-On SSL signing certificate, and VMware Directory Service certificate. One of the advantages from version 6.0 onwards is the VMware Certificate Authority (VMCA) and the vSphere Certificate Management GUI.
In this blog post I will document the steps I used recently to replace the default vCenter VMCA machine SSL certificate with a Certificate Authority (CA) self-signed certificate.
Part 1 – Generate a private key
use the OpenSSL tool to generate the private key:
openssl genrsa -out server_xyz.yourdomain.local.key 4096
Part 2 – Generate a CSR
openssl req -new -sha256 -key server_xyz.yourdomain.local.key -out server_xyz.yourdomain.local.csr
After generating.CSR certificate file you will to use VI text editor to copy the contents of the file. So run below command:
vi server_xyz.yourdomain.local
Part 3 – Get Domain CA to sign the certificate
Copy the contents of the CSR to the clipboard
In a browser go to the domain CA:
http://yourCAserver.yourdomain.local/CertSrv
Sign in with your domain admin credentials
Click on ‘Request a certificate’
Click on ‘Advanced Certificate Request’
Change ‘Certificate Template’ to ‘Webserver’
Add SAN’s in the ‘Additional Attributes’ box eg:
san:dns=server_xyz.yourdomain.local&dns=server_xyz
Click ‘Submit’
(Note: Will need to add SANs at the signing stage on the CA server. Certificates must have SANs to be accepted by Google Chrome web browser ).
Select ‘Base 64 encoded’ and click on ‘Download certificate’
This will download a container file with the CA cert and server_xyz cert in it. If the CA cert is already on the Linux server, you could just click on ‘Download Certificate’.
Part 3 – Replace the machine SSL cert using the vCenter web client Certificate Management
on the relevant vcenter web client, navigate to: Home >>Administration >>Certificates >>Certificate manager>
Find the Machine SSL Certificate and choose Actions then choose to Replace You will then prompted for both CA signed certificate file and also the private key file. Once both files then click on Replace Once completed you will see a completed successfully confirmation banner and also the “valid until” date on the Machine SSL Certificate will be updated to the current date.
Note: These are all the steps required to generate and upload the CA signed SSL cert, but I have noticed that sometimes this is not enough.
If upon viewing your certificate in any web browser and you do not see the new SSL cert (even in a new session), then you will need to restart the vCenter appliance for the SSL cert to become active”