Certificates for vCenter and HTML 5 Appliance – Part 1

So I pretty much lost a day and half trying to sort out certificates for one of my vCenter clusters.  I’ve read through many VMware KB’s different blogs and articles on how to have a valid certificate for my vCenter servers, but didn’t quite find a definitive one.  So I’m hoping that what I did early in the week will be helpful.  It will also serve as a reminder for me on how I did this.

As of March 7, 2019 I am running VCSA 6.0 Build 9291058, I also have Microsoft CA to generate and issue certificates.

From the VCSA, I logged in as root and ran the following command

/usr/lib/vmware-vmca/bin/certificate-manager

This will bring up the vSphere 6.0 Certificate Manager

certman

Select Option 1 to replace machine ssl certificate with custom certificate.

Follow the prompts to enter credentials for the SSO and vCenter server.

After a successful login, select option 1 to generate certificate signing request(s) and key(s) for machine SSL certificate

genssl

You’ll then be prompted for a location to save the CSR(s) and Private Key(s).  Enter a desired location and select whether or not to reconfigure certool.cfg.  If you already have one configured, you can select no, to save some time.  Otherwise select Y and enter the appropriate values.

certool2

After the csr is generated, select Option 2 to exit the certificate manager

certool_complete

Next up, you’ll need to go to your Microsoft CA to request a certificate.

req_cert

Open the CSR in a text editor and copy it into the field, add any attributes if neccesary:

SAN:DNS=<FQDN>&DNS=<hostname>&DNS=<IP_Address>&IPADDRESS=<IP_Address>

submt_csr

After you submit the request, open the .cer in a text editor and copy that into a text editor on your VSCA.  Save the file with a meaningful name, ie; hostname.cer

Next, you’ll need to create a signed chained cert.

You’ll need the cer that was just created, as well as any intermediate CA certs and the root cert.

For my purposes, I exported the certs from the built-in windows certificate management console.  Selected the intemediate and root certs, and exported them. Be sure to download the cert in Base64 format

req_cert_base64

After you have all the certs, copy it to your vCenter, and then you’ll need to create a signed chained cert in this order: <generated CA cert> <intermediate cert> <root cert>

cat certnew.cer intermediateCA.cer RootCA.cer > name_of_signing_chain.cer

After creating the chained cert, run the certificate manger again

/usr/lib/vmware-vmca/bin/certificate-manager

Select Option 1

certman

Enter credentials for SSO and select Option 2 to import certs.
genssl

Provide the location of the generated cert, the private as well as the chain cert.

This will take a minute or two.  After the certs are successfully imported, you’ll valid SSL cert for you vCenter.

%d bloggers like this:
Bitnami