Sajal Choudhary

VMware security certificates

Last updated:

CERTVMWARE

Create template

Create template using Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) (vmware.com)

VMware does not recommend replacing either solution user certificates or STS certificates, nor using a subordinate CA in place of the VMCA. If you choose either of these options, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk.

With the “hybrid” approach, custom certificates are used for the Machine SSL certificates of the Platform Services Controller and vCenter Server VMs and then the VMCA is left to manage the Solution Users and ESXi host certificates.

NOTE: HA is disabled during activity, so disable HA manually. And take snapshot. Certificates must be base64 encoded.

Overview

  1. Generate a Certificate Signing Request for the externally-facing vSphere Web Client login page (The Machine SSL certificate)
  2. Submitted the CSR to the Microsoft Certificate Authority and downloaded the newly generated certificate and root CA certificate
  3. Using the Certificate Manager utility we replaced the Machine SSL certificate with the certificate generated by the Microsoft CA
  4. Verify that the vSphere Web Client login page is now using the Microsoft CA-issued certificate

Steps

  1. Create a folder on appliance which you will be able to download: /tmp/sslcerts
  2. Generate CSR
    1. Utility is present at: /usr/lib/vmware-vmca/bin/certificate-manager
    2. Run the utility and select Option 1
    3. Select Option 1 again, to generate the CSR and provide the output directory path (created above) to write out the files created
    4. Download the created csr file and key
  3. Submit csr to CA
certreq -attrib "CertificateTemplate:WebServer" <nameofcert.cer>
  1. If you don’t have an export of the root certificate start a elevated command prompt on the CA server and run this command.
certutil -ca.cert root_certificate.cer
  1. Copy the .cer, key and root.cer to the VCSA.
  2. Open up the Certificate Manager Utility and select Option 1, Replace Machine SSL certificate with Custom Certificate. Provide the password to your [email protected] account and select Option 2, “Import Custom Certificate(s) and key(s) to replace existing Machine SSL certificate”
  3. Select “Y” to continue the operation. This may take a few minutes, depending on how your systems are configured.

references: Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277) (vmware.com)

Replacing vCenter 6.0’s SSL Certificate (vmware.com) VMware vCenter Replace Machine Certificate With Custom CA - Virtualblog.nl VMware vCenter Certificate Replacement - Dasher vSphere Security Certificates (vmware.com) New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement - VMware vSphere Blog

← Back to Til