I recently put this together for a customer of mine and figured I’d put it here for archival purposes and maybe some of you can use it as a full walkthrough of replacing vCenter, PSC, and ESXi host certificates with custom (non-VMCA) certificates from an external CA.
Nothing in here is new or revolutionary, but it’s all in one place and could be handed to a level 1 engineer to complete, as we did.
Creating a new Microsoft Certificate Signing template for vSphere 6.x products
-
1. Connecting to the CA server you will be generating the certificates from.
2. Click Start > Run, type certtmpl.msc and click OK.
3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
4. In the Duplicate Template window, select Windows Server 2008 Enterprise.
5. Click the General tab.
6. In the Template display name field, enter VMware vSphere as the name of the new template.
7. Click the Extensions tab.
8. Select Application Policies and click Edit.
9. Select Server Authentication and click Remove, then OK.
Note: If Client Authentication exists, remove this from Application Policies as well.
10. Select Key Usage and click Edit.
11. Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.
12. Click OK.
13. Click the Subject Name tab.
14. Ensure that the Supply in the request option is selected.
15. Click OK to save the template.
16. Click Start > Run, type certsrv.msc, and click OK
17. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon
18. Right-click Certificate Templates and click New > Certificate Template to Issue
19. Locate VMware vSphere template under the Name column
20. Click OK
Generating a Certificate Signing Request (CSR) file for vCenter Appliance and PSC
-
1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
2. Login with username root and supply the password
3. Type shell and hit Enter
4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
5. Type ./certificate-manager and hit Enter
6. Select 1 and then Y and supply the SSO administrator username and password
7. Fill out each question with the appropriate information for your department and organization
8. Select 1 Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
9. Type /tmp for Output directory path and hit Enter
10. After completion, Select 2. Exit certificate-manager
11. Type more /tmp/vmca_issued_csr.csr and hit Enter
12. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop
Obtain certificate from Microsoft Certificate Authority
-
1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
2. Click the Request a certificate (.csr ) link.
3. Click advanced certificate request.
4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
5. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
6. Select the VMware vSphere template.
7. Click Submit to submit the request
8. Click Base 64 encoded on the Certificate issued screen
9. Click the Download Certificate link
10. Save the certificate as vcenter.crt
Obtain and Create CA Cert Chain from Microsoft Certificate Authority
-
1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv and click Download a CA certificate, certificate chain or CRL
2. Select the Base 64 option.
3. Click the Download CA Certificate chain link.
4. Save the certificate chain as cachain.p7b
5. Double-click the cachain.p7b file to open it in the Certificate Manager.
6. Navigate to cachain.p7b > Certificates.
7. Right-click the Root certificate listed and click All Actions > Export.
8. Click Next.
9. Select Base-64 encoded X.509 (.CER), and then click Next
10. Save the export as Root64.cer and click Next.
11. Click Finish
12. Repeat steps 17-21 for the Intermediate CA Certificates and save them as Int1.cer and Int2.cer as appropriate
13. Click Start > Run > cmd and hit Enter
14. Type cd C:\path\to\saved\certs
15. Type type Int1.cer Int2.cer Root64.cer > cachain.cer and hit Enter
Replacing Certificate on vCenter/PSC Server
-
1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
2. Login with username root and supply the password
3. Type shell and hit Enter
4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
5. Open cachain.cer in Notepad and select all text (Ctrl+A) and copy
6. In Putty, type vi /tmp/Root64.cer, hit i, right click (you should see your cachain.cer information paste in), hit Escape, then type :wq and hit Enter
7. Open vcenter.crt in Notepad and select all text (Ctrl+A) and copy
8. In Putty, type vi /tmp/vcenter.cer, hit i, right click (you should see your vcenter.crt information paste in), hit Escape, then type :wq and hit Enter
9. Type cat vcenter.cer Root64.cer > machine.cer and hit Enter
10. Type ./certificate-manager and hit Enter
11. Select Option 1. (Replace Machine SSL certificate with Custom Certificate)
12. Provide SSO administrator username and password.
13. Select Option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
14. Type /tmp/machine.cer hit Enter
15. Type /tmp/vmca_issued_key.key hit Enter
16. Type /tmp/Root64.cer hit Enter
17. Type Y to confirm
18. Verify success by navigating to the vSphere Web Client and confirming SSL lock is now green and valid
Generating a Certificate Signing Request (CSR) file for ESXi Host(s)
-
1. Log into the ESXi host through your web browser using https://IP_or_FQDN/ui
2. Enter root and the password
3. Click Manage > Services > TSM-SSH and click Start
4. Open Putty and log into the host via FQDN or IP
5. Type vi /tmp/openssl.cfg, hit i, right click (paste) in the following replacing the red with your organizations information:
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = US
countryName_default = US
stateOrProvinceName = Virginia
stateOrProvinceName_default = Virginia
localityName = Annandale
0.organizationName = VMware
0.organizationName_default = VMware
organizationalUnitName = IT
commonName = esxi01.local
emailAddress = email@local.com
-
6. Hit Escape, :wq and Enter
7. Type cd /tmp/ and Enter
8. Type openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config /tmp/openssl.cfg
9. Type openssl rsa -in rui-orig.key -out rui.key
10. Type more /tmp/rui.csr
11. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop
Obtain certificate from Microsoft Certificate Authority
11. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
12. Click the Request a certificate (.csr ) link.
13. Click advanced certificate request.
14. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
15. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
16. Select the VMware vSphere template.
17. Click Submit to submit the request
18. Click Base 64 encoded on the Certificate issued screen
19. Click the Download Certificate link
20. Save the certificate as host01.crt
Change the Certificate Mode of vCenter
-
1. Log into vCenter through the web client.
2. Click Settings > Advanced Settings, and click Edit.
3. In the Filter box, enter certmgmt to display only certificate management keys.
4. Change the value of vpxd.certmgmt.mode to custom.
5. Restart the vCenter Server service by logging into https://vCenter:5480
Replace ESXi Certificates
-
1. Log in to vCenter Server with the web client.
2. Put the host into Maintenance Mode.
3. Using Putty, log in to the host
4. Type cd /etc/vmware/ssl and hit Enter
5. Type mv rui.key rui.key.bak and hit Enter.
6. Type mv rui.crt rui.crt.bak and hit Enter
7. Type cp /tmp/rui.key . and hit enter
8. Type vi rui.crt and hit Enter
9. Open host01.crt in Notepad and select all text (Ctrl+A) and copy
10. In Putty, hit i, right click (you should see your host01.crt information paste in), hit Escape, then type :wq and hit Enter
11. Type services.sh restart and hit Enter
12. Exit the host from Maintenance Mode.