Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) .   To replace the Machine SSL certificate with the Custom CA certificate:

  1. Launch the VMware vSphere 6.x Certificate Manager:

    vCenter Server 6.x Appliance:
    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.x:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    Note: It is important to be logged in as an administrator or to “Run as Administrator” if user access control is enabled.
  2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
     
  3. Provide the administrator@vsphere.local password when prompted.
     
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
     
  5. Enter the directory in which you want to save the certificate signing request and the private key.

    Note:
    • Refer to the below information to enter values for CSR generation.
      • Country      : Two uppercase letters only (Eg. US), the country where your company is located.
        Name         : FQDN of the vCenter Server(This will be your Certificate Subject Alternate Name)
        Organization : Company Name
        OrgUnit      : The name of your department within the organization. Example: “IT”
        State        : The state/province where your company is located
        Locality     : The city where your company is located.
        IPAddress    : IP Address of vCenter Server, this field is Optional
        Email        : Email Address
        Hostname     : FQDN of vCenter Server(This field accepts multiple entries separated by comma.

For example: VCSA1.vsphere.local,vcsa1,192.168.0.51)
VMCA Name    : FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN)

  • Note: make sure the Primary Network Identifier (PNID) matches the Hostname
    • To obtain the PNID please refer to the following commands for appliance and windows respectively:
      • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid –server-name localhost
      • “C:\Program Files\VMware\vCenter Server\vmafdd\” vmafd-cli.exe get-pnid –server-name localhost
         
    • In vSphere 6.0 Update 3, provide Host Name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
  1. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014) .

    Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
  2. Return to the vSphere 6.x Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

    Note
    : If you are using a chain of Intermediate CA and Root CA, see Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571) before proceeding.
  3. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

    Note: If you have one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The “machine_name_ssl.cer” should be a full chain for certificate+inter(s)+root.

    The machine_name_ssl.cer should be a complete chain file similar to: —–BEGIN CERTIFICATE—– MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <—–Certificate SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih 4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Intermediate Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Root Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= —–END CERTIFICATE—–
    For example:

vCenter Server Appliance:  Provide a valid custom certificate for Machine SSL. File : /tmp/ssl/machine_name_ssl.cer
  Provide a valid custom key for Machine SSL. File : /tmp/ssl/machine_name_ssl.key   Provide the signing certificate of the Machine SSL certificate. File : /tmp/ssl/Root64.cer   Windows vCenter Server: Provide a valid custom certificate for Machine SSL.
File : C:\ssl\machine_name_ssl.cer

Provide a valid custom key for Machine SSL.
File : C:\ssl\machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.
File : C:\ssl\Root64.cer

  1. Answer Yes (Y) to the confirmation request to proceed.

    Notes:
  • When Certificate Manager prompts for the certificate, Enter the proper value for VMCA Name enter the Root Cert Name (That is Issuer Cert CA Common Name).
  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller (deprecated in 6.7.x), you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

原文地址:https://kb.vmware.com/s/article/2112277

发表评论

邮箱地址不会被公开。 必填项已用*标注