vSphere 6 vCenter Appliance – Replacing Certificates

Advertisement

KB ID 0001194 Dtd 25/05/16

Problem

In vSphere 5 and earlier versions this was not a 'fun' job at all, many times I sat down to do it, and lost the will to live. Now there's a nice new tool built into vCenter that does 'most' of the hard work for you. Here I'm using the vCenter appliance but the tool is also available on the Windows version.

For my certificates I'm using Microsoft Certificate Services. I'm going to issue a 'Subordinate CA' certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.

 

Solution

Make sure you have published a 'Subordinate Certification Authority' certificate template.

sub ca cert template

Connect the the vCenter appliance using SSH and enable 'shell'

shell.set --enabled True

vCenter enable shell access

Create a directory to store our certificates and requests in, then launch the certification-manager tool.

mkdir /root/SSLCerts
/usr/lib/vmware-vmca/bin/certificate-manager

vCenter CA Manager

The app will launch, and present you with a bunch of options.

vCenter Appliance CA Manager

Select option 2 > No we don't want to use the configuration file > enter your logon information, (administrator@vsphere.local and password)  > Enter all the items required for the certificate request.

vCenter Create CSR

Choose option 1 (Generate Certificate signing request)  > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter '2' to exit.

The files;

  • root_signing_cert.key (the private key)
  • root_signing_cert.csr (the request)

vCenter Create Private Key and CSR

Now we need to get the CSR (signing request).

cat /root/SSLCerts/root_signing_cert.csr

 

vCenter Show CSR

Copy the certificate PEM file.

vCenter Cat and Copy CSR

Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text  > Remember to use the Subordinate Certificate Authority template > Submit.

vCenter Certificate Services

Base 64 Encoded > Download Certificate  > Save it somewhere you can find it, and give it a sensible name!

vCenter Sub CA Cert

Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press 'back' a few times).

vCenter Download WIndows CA Cert

Now back in your SSH session, change to your SSLCerts directory, and create an 'empty' file to paste our certificate information into.

cd /root/SSLCerts/
cat > root_signing_cert.cer

vCenter Appliance Import Certificate copy

Open the certificate for the vCenter Appliance in a text editor, and PASTE IN BELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.

vCenter Certificate CER chain

Paste in the text > Press Ctrl+D to save and exit.

vCenter Create Certificate File

If you 'ls' (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file.

vCenter Appliance Create Certificate File

Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > 'N' > Option 2 (Import custom certificate(s))  > Give it the path to the certificate file > Then the path to the key file.

vCenter Appliance Import Certificate and Key

Yes we want to replace the certificates.

vCenter Appliance Replace Certificates

Go get a coffee, this will take a while.

vCenter Appliance Windows Sub CA

Thats vCenter done.

vCenter Self Signed Cert

Next we will concentrate on the ESX hosts

 VMware ESXi6 – Replacing the Default Certificates

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *