vSphere 6.5 vCenter Appliance – Replacing Certificates

KB ID 0001194

Problem

In vSphere 5 and earlier versions this was not a ‘fun’ job at all, many times I sat down to do it, and lost the will to live. Now there’s a nice new tool built into vCenter that does ‘most’ of the hard work for you. Here I’m using the vCenter appliance but the tool is also available on the Windows version.

For my certificates I’m using Microsoft Certificate Services. I’m going to issue a ‘Subordinate CA’ certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.

Solution

Make sure you have published a ‘Subordinate Certification Authority’ certificate template.

Connect the the vCenter appliance using SSH and enable ‘shell’

[box]

shell.set --enabled True
shell

[/box]

Create a directory to store our certificates and requests in, then launch the certification-manager tool.

[box]

mkdir /root/SSLCerts
/usr/lib/vmware-vmca/bin/certificate-manager

[/box]

The app will launch, and present you with a bunch of options.

Select option 2 > No we don’t want to use the configuration file > enter your logon information, (administrator@vsphere.local and password)  > Enter all the items required for the certificate request.

Choose option 1 (Generate Certificate signing request)  > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter ‘2’ to exit.

The files;

vCenter 6.5

  • vmca_issued_key.key (the private key)
  • vmca_issued_csr.csr (the request)

vCenter 6.0.0

  • root_signing_cert.key (the private key)
  • root_signing_cert.csr (the request)

Now we need to get the CSR (signing request).

[box]

cat /root/SSLCerts/vmca_issued_csr.csr
OR
cat /root/SSLCerts/root_signing_cert.csr

[/box]

Copy the certificate PEM file.

Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text  > Remember to use the Subordinate Certificate Authority template > Submit.

Base 64 Encoded > Download Certificate  > Save it somewhere you can find it, and give it a sensible name!

Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press ‘back’ a few times).

Now back in your SSH session, change to your SSLCerts directory, and create an ’empty’ file to paste our certificate information into.

[box]

cd /root/SSLCerts/
touch vmca_signing_cert.cer
vi vmca_signing_cert.cer

[/box]

Open the certificate for the vCenter Appliance in a text editor, and PASTE IN BELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.

Paste the text you have coped into the open ‘vi editor’ page (Press I, then P) > Save and Exit (Press Esc > :wq {enter})

If you ‘ls’ (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file. (the names of which vary between version 6 and 6.5).

Version 6.5

Version 6.0


Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > ‘N’ > Option 2 (Import custom certificate(s))  > Give it the path to the certificate file > Then the path to the key file.

Yes we want to replace the certificates.

Go get a coffee, this will take a while.

Thats vCenter done.

Next we will concentrate on the ESX hosts

 VMware ESXi6 – Replacing the Default Certificates

Related Articles, References, Credits, or External Links

Original Article Written 25/05/16