Custom Certificate Replacement Guide

I recently put this together for a customer of mine and figured I’d put it here for archival purposes and maybe some of you can use it as a full walkthrough of replacing vCenter, PSC, and ESXi host certificates with custom (non-VMCA) certificates from an external CA.

Nothing in here is new or revolutionary, but it’s all in one place and could be handed to a level 1 engineer to complete, as we did.

Creating a new Microsoft Certificate Signing template for vSphere 6.x products

    1. Connecting to the CA server you will be generating the certificates from.
    2. Click Start > Run, type certtmpl.msc and click OK.
    3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
    4. In the Duplicate Template window, select Windows Server 2008 Enterprise.
    5. Click the General tab.
    6. In the Template display name field, enter VMware vSphere as the name of the new template.
    7. Click the Extensions tab.
    8. Select Application Policies and click Edit.
    9. Select Server Authentication and click Remove, then OK.

    Note: If Client Authentication exists, remove this from Application Policies as well.

    10. Select Key Usage and click Edit.
    11. Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.
    12. Click OK.
    13. Click the Subject Name tab.
    14. Ensure that the Supply in the request option is selected.
    15. Click OK to save the template.
    16. Click Start > Run, type certsrv.msc, and click OK
    17. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon
    18. Right-click Certificate Templates and click New > Certificate Template to Issue
    19. Locate VMware vSphere template under the Name column
    20. Click OK

Generating a Certificate Signing Request (CSR) file for vCenter Appliance and PSC

    1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
    2. Login with username root and supply the password
    3. Type shell and hit Enter
    4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
    5. Type ./certificate-manager and hit Enter
    6. Select 1 and then Y and supply the SSO administrator username and password
    7. Fill out each question with the appropriate information for your department and organization
    8. Select 1 Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
    9. Type /tmp for Output directory path and hit Enter
    10. After completion, Select 2. Exit certificate-manager
    11. Type more /tmp/vmca_issued_csr.csr and hit Enter
    12. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop


Obtain certificate from Microsoft Certificate Authority

    1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
    2. Click the Request a certificate (.csr ) link.
    3. Click advanced certificate request.
    4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    5. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
    6. Select the VMware vSphere template.
    7. Click Submit to submit the request
    8. Click Base 64 encoded on the Certificate issued screen
    9. Click the Download Certificate link
    10. Save the certificate as vcenter.crt

Obtain and Create CA Cert Chain from Microsoft Certificate Authority

    1. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv and click Download a CA certificate, certificate chain or CRL
    2. Select the Base 64 option.
    3. Click the Download CA Certificate chain link.
    4. Save the certificate chain as cachain.p7b
    5. Double-click the cachain.p7b file to open it in the Certificate Manager.
    6. Navigate to cachain.p7b > Certificates.
    7. Right-click the Root certificate listed and click All Actions > Export.
    8. Click Next.
    9. Select Base-64 encoded X.509 (.CER), and then click Next
    10. Save the export as Root64.cer and click Next.
    11. Click Finish
    12. Repeat steps 17-21 for the Intermediate CA Certificates and save them as Int1.cer and Int2.cer as appropriate
    13. Click Start > Run > cmd and hit Enter
    14. Type cd C:\path\to\saved\certs
    15. Type type Int1.cer Int2.cer Root64.cer > cachain.cer and hit Enter

Replacing Certificate on vCenter/PSC Server

    1. Use Putty to SSH into your vCenter Appliance by IP or FQDN.
    2. Login with username root and supply the password
    3. Type shell and hit Enter
    4. Type cd /usr/lib/vmware-vmca/bin/ and hit Enter
    5. Open cachain.cer in Notepad and select all text (Ctrl+A) and copy
    6. In Putty, type vi /tmp/Root64.cer, hit i, right click (you should see your cachain.cer information paste in), hit Escape, then type :wq and hit Enter
    7. Open vcenter.crt in Notepad and select all text (Ctrl+A) and copy
    8. In Putty, type vi /tmp/vcenter.cer, hit i, right click (you should see your vcenter.crt information paste in), hit Escape, then type :wq and hit Enter
    9. Type cat vcenter.cer Root64.cer > machine.cer and hit Enter
    10. Type ./certificate-manager and hit Enter
    11. Select Option 1. (Replace Machine SSL certificate with Custom Certificate)
    12. Provide SSO administrator username and password.
    13. Select Option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
    14. Type /tmp/machine.cer hit Enter
    15. Type /tmp/vmca_issued_key.key hit Enter
    16. Type /tmp/Root64.cer hit Enter
    17. Type Y to confirm
    18. Verify success by navigating to the vSphere Web Client and confirming SSL lock is now green and valid

Generating a Certificate Signing Request (CSR) file for ESXi Host(s)

    1. Log into the ESXi host through your web browser using https://IP_or_FQDN/ui
    2. Enter root and the password
    3. Click Manage > Services > TSM-SSH and click Start
    4. Open Putty and log into the host via FQDN or IP
    5. Type vi /tmp/openssl.cfg, hit i, right click (paste) in the following replacing the red with your organizations information:

[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = US
countryName_default = US
stateOrProvinceName = Virginia
stateOrProvinceName_default = Virginia
localityName = Annandale
0.organizationName = VMware
0.organizationName_default = VMware
organizationalUnitName = IT
commonName = esxi01.local
emailAddress = email@local.com

    6. Hit Escape, :wq and Enter
    7. Type cd /tmp/ and Enter
    8. Type openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config /tmp/openssl.cfg
    9. Type openssl rsa -in rui-orig.key -out rui.key
    10. Type more /tmp/rui.csr
    11. Copy and paste everything outputted including the lines —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into a text file on your desktop
    Obtain certificate from Microsoft Certificate Authority
    11. Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/.
    12. Click the Request a certificate (.csr ) link.
    13. Click advanced certificate request.
    14. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    15. Open the certificate request from the previous step and copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
    16. Select the VMware vSphere template.
    17. Click Submit to submit the request
    18. Click Base 64 encoded on the Certificate issued screen
    19. Click the Download Certificate link
    20. Save the certificate as host01.crt

Change the Certificate Mode of vCenter

    1. Log into vCenter through the web client.
    2. Click Settings > Advanced Settings, and click Edit.
    3. In the Filter box, enter certmgmt to display only certificate management keys.
    4. Change the value of vpxd.certmgmt.mode to custom.
    5. Restart the vCenter Server service by logging into https://vCenter:5480

Replace ESXi Certificates

    1. Log in to vCenter Server with the web client.
    2. Put the host into Maintenance Mode.
    3. Using Putty, log in to the host
    4. Type cd /etc/vmware/ssl and hit Enter
    5. Type mv rui.key rui.key.bak and hit Enter.
    6. Type mv rui.crt rui.crt.bak and hit Enter
    7. Type cp /tmp/rui.key . and hit enter
    8. Type vi rui.crt and hit Enter
    9. Open host01.crt in Notepad and select all text (Ctrl+A) and copy
    10. In Putty, hit i, right click (you should see your host01.crt information paste in), hit Escape, then type :wq and hit Enter
    11. Type services.sh restart and hit Enter
    12. Exit the host from Maintenance Mode.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.