So I pretty much lost a day and half trying to sort out certificates for one of my vCenter clusters. I’ve read through many VMware KB’s different blogs and articles on how to have a valid certificate for my vCenter servers, but didn’t quite find a definitive one. So I’m hoping that what I did early in the week will be helpful. It will also serve as a reminder for me on how I did this.
As of March 7, 2019 I am running VCSA 6.0 Build 9291058, I also have Microsoft CA to generate and issue certificates.
From the VCSA, I logged in as root and ran the following command
/usr/lib/vmware-vmca/bin/certificate-manager
This will bring up the vSphere 6.0 Certificate Manager
Select Option 1 to replace machine ssl certificate with custom certificate.
Follow the prompts to enter credentials for the SSO and vCenter server.
After a successful login, select option 1 to generate certificate signing request(s) and key(s) for machine SSL certificate
You’ll then be prompted for a location to save the CSR(s) and Private Key(s). Enter a desired location and select whether or not to reconfigure certool.cfg. If you already have one configured, you can select no, to save some time. Otherwise select Y and enter the appropriate values.
After the csr is generated, select Option 2 to exit the certificate manager
Next up, you’ll need to go to your Microsoft CA to request a certificate.
Open the CSR in a text editor and copy it into the field, add any attributes if neccesary:
SAN:DNS=<FQDN>&DNS=<hostname>&DNS=<IP_Address>&IPADDRESS=<IP_Address>
After you submit the request, open the .cer in a text editor and copy that into a text editor on your VSCA. Save the file with a meaningful name, ie; hostname.cer
Next, you’ll need to create a signed chained cert.
You’ll need the cer that was just created, as well as any intermediate CA certs and the root cert.
For my purposes, I exported the certs from the built-in windows certificate management console. Selected the intemediate and root certs, and exported them. Be sure to download the cert in Base64 format
After you have all the certs, copy it to your vCenter, and then you’ll need to create a signed chained cert in this order: <generated CA cert> <intermediate cert> <root cert>
cat certnew.cer intermediateCA.cer RootCA.cer > name_of_signing_chain.cer
After creating the chained cert, run the certificate manger again
/usr/lib/vmware-vmca/bin/certificate-manager
Select Option 1
Enter credentials for SSO and select Option 2 to import certs.
Provide the location of the generated cert, the private as well as the chain cert.
This will take a minute or two. After the certs are successfully imported, you’ll valid SSL cert for you vCenter.
