vSphere 6.5 vCenter Appliance – Replacing Certificates

KB ID 0001194

Problem

In vSphere 5 and earlier versions this was not a ‘fun’ job at all, many times I sat down to do it, and lost the will to live. Now there’s a nice new tool built into vCenter that does ‘most’ of the hard work for you. Here I’m using the vCenter appliance but the tool is also available on the Windows version.

For my certificates I’m using Microsoft Certificate Services. I’m going to issue a ‘Subordinate CA’ certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.

Solution

Make sure you have published a ‘Subordinate Certification Authority’ certificate template.

sub ca cert template

Connect the the vCenter appliance using SSH and enable ‘shell’

shell.set --enabled True
shell

vCenter enable shell access

Create a directory to store our certificates and requests in, then launch the certification-manager tool.

mkdir /root/SSLCerts
/usr/lib/vmware-vmca/bin/certificate-manager

vCenter CA Manager

The app will launch, and present you with a bunch of options.

vCenter Appliance CA Manager

Select option 2 > No we don’t want to use the configuration file > enter your logon information, (administrator@vsphere.local and password)  > Enter all the items required for the certificate request.

vCenter Create CSR

Choose option 1 (Generate Certificate signing request)  > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter ‘2’ to exit.

The files;

vCenter 6.5

  • vmca_issued_key.key (the private key)
  • vmca_issued_csr.csr (the request)

vCenter 6.0.0

  • root_signing_cert.key (the private key)
  • root_signing_cert.csr (the request)

vCenter Create Private Key and CSR

Now we need to get the CSR (signing request).

cat /root/SSLCerts/vmca_issued_csr.csr
OR
cat /root/SSLCerts/root_signing_cert.csr

vCenter Show CSR

Copy the certificate PEM file.

vCenter Cat and Copy CSR

Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text  > Remember to use the Subordinate Certificate Authority template > Submit.

vCenter Certificate Services

Base 64 Encoded > Download Certificate  > Save it somewhere you can find it, and give it a sensible name!

vCenter Sub CA Cert

Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press ‘back’ a few times).

vCenter Download WIndows CA Cert

Now back in your SSH session, change to your SSLCerts directory, and create an ’empty’ file to paste our certificate information into.

cd /root/SSLCerts/
touch vmca_signing_cert.cer
vi vmca_signing_cert.cer

vCenter Appliance Import Certificate copy

Open the certificate for the vCenter Appliance in a text editor, and PASTE IN BELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.

vCenter Certificate CER chain

Paste the text you have coped into the open ‘vi editor’ page (Press I, then P) > Save and Exit (Press Esc > :wq {enter})

If you ‘ls’ (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file. (the names of which vary between version 6 and 6.5).

Version 6.5

6.5 vCenter Certificates

Version 6.0


vCenter Appliance Create Certificate File

Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > ‘N’ > Option 2 (Import custom certificate(s))  > Give it the path to the certificate file > Then the path to the key file.

vCenter Appliance Import Certificate and Key

Yes we want to replace the certificates.

vCenter Appliance Replace Certificates

Go get a coffee, this will take a while.

vCenter Appliance Windows Sub CA

Thats vCenter done.

vCenter Self Signed Cert

Next we will concentrate on the ESX hosts

 VMware ESXi6 – Replacing the Default Certificates

Related Articles, References, Credits, or External Links

Original Article Written 25/05/16

Author: PeteLong

Share This Post On

4 Comments

  1. Wonderful post. Thanks for that. I followed your procedure but… Although my CA Authority template is set to 6 years, VCenter certificate expiration shows only 2 years. Is there any way to change this? It would be annoying to do the same every 2 years.
    Thanks in advance.

    Post a Reply
    • Sounds like a Microsoft CA? you need to change it there, it’s on there, its on the properties of the SubCA certificate template.

      Post a Reply
    • The MS CA template needs updating and then re-publishing. I set mine to 5 years, then published it, then created the certificate. All good.

      Post a Reply
  2. One thing to clarify is with a 2 tier MS PKI,, at the copy steps, you have your vCenter Subordinate CA, then you need to paste in your Issuing CA details, then underneath that, the Root CA. It needs the complete certificate chain. When I followed these steps as is, it rolled back because I was missing part of the chain.

    Its not a big deal if you know PKI, but can be confusing to new users.

    Post a Reply

Leave a Reply to Matt Cancel reply

Your email address will not be published. Required fields are marked *