Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

VMCA (VMware Certificate Authority) is a one of the components in PSC (Platform services controller) inbuilt into vCenter server 6.x. VMCA is Certificate Authority and works as same as Microsoft CA certificate. It can issue certificates to VMware components i.e. vCenter, ESXi servers. In my previous blog How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi, I have shown using existing default VMCA root certificate and how to trust it in your organization using group policy or manually. which doesn't require much efforts.

Your internal Information Security team might wants you to replace default certificate with custom certificate on vCenter appliance (vcsa) provided by your in house Certificate Authority custom certificate or 3rd party trusted SSL certificate. I have already my Microsoft RootCA PKI infrastructure configured in my environment. 

I keep PSC role on same server as vCenter appliance keeping future deployment and changes in mind as per this article https://blogs.vmware.com/vsphere/2018/11/external-platform-services-controller-a-thing-of-the-past.html. To proceed with first step create new certificate template for VCSA on Microsoft certificate authority server is create, I have followed the same steps from vmware video on https://www.youtube.com/watch?v=epxR5Ow4QtU. Open Run and type certtmpl.msc,  press ok.

Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

vmware vsphere vcenter server appliance vcsa esxi certtmpl.msc certificate templates root ca, subordinate ca certificate authority replace import ssl cert template.png

If you are seeing error Certificate Template: Windows could not create the object identifier list. The specified domain either does not exist or could not be contacted. Certificate templates are not available. Right click Certificate templates and press Connect to another writable domain controller, choose a Default writable domain controller, then hit Ok.

vmware vsphere vcenter appliance server esxi certificate template console mmc writable domain controller active directory view object identifiers, ssl certificate microsoft certificate authority vmca.png

From the Template Display Names find Web Server, right click it, choose Duplicate Template. On the properties go to compatibility tab, on the Compatibility Settings choose certificate authority as Windows Server 2008 (Version 3 Certificate), if you need more secure and encryption level higher on your cert choose higher version of OS from the list. For backward compatibility choose lower OS version.

Next on General tab give a template display name.

vmware vsphere vcenter vmca certificate authority psc platform services controller web server certificate duplicate template comaptibility esxi certificate recipient, active directory root ca subordinate.png

On the Extensions tab select Application policies, click Edit and remove Server Authentication.

vmware vsphere vcenter appliance vcsa certificate template application policies extensions server authentication remove root ca subordinate certificate authority key usage basic constraints.png

Next Go to Key Usage, click check on Signature is a proof of origin (nonrepudiation) and in the last select Subject Name tab, make sure Supply in the request is selected and click Apply - OK. New Certificate template will show in the list now.

vmware vsphere vcenter server appliance vcsa vmca psc sso certificate authority key usage digital signature nonrepudiation extension replace vmca ssl self signed ceritificate.png

Open Server Manager, go to Tools choose Certificate Authority. On the Certificate Templates right click, go to New >> Certificate Template to Issue. Select earlier created certificate to enable in Certificate Authority by clicking OK.

vmware vsphere vcenter appliance vcsa vmca certificate authority server manager root ca enable certificate template web server import ssl certificate generate ssl openssl.png

Tasks on CA server are completed, For next tasks I will login to VCSA (VMWare vSphere vCenter server Appliance) using ssh tool putty. After login launch BASH on command prompt by typing shell, this Shell access is granted to root permissions.

putty vcsa vmware vcenter server appliance embedded platform services controller bash shell api vmca psc login certificate authority root ca subordinate ca microsoft domain certificate services certsrv.png

I need SCP to work on VCSA, by running chsh -s  /bin/bash root will allow winscp tool to login.

vmware vsphere vcenter server appliance vcsa putty bash shell chsh bin bash root change shell command vmca psc platform services controller certificate authority intermidiate root ca.png

Run command /usr/lib/vmware-vmca/bin/certificate-manager and select operation Replace Machine SSL certificate with Custom Certificate by typing 1, Provide valid SSO and VC privileged user credential to perform certificate operations. Once successfully authentication happens, select option Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate by typing 1. This launches certool tool to generate key and csr.

vmware vsphere vcenter appliance vcsa vmca usr lib vmware-vmca bin certificate-manager replace machine ssll certificate with custom certificate generate certificate signing request and key.png

On the CSR and Private Key generation option provide info as below which configures and creates certool.cfg.

Provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /tmp/
Enter proper value for 'Country' [Default value : US] (must be 2 character value only) : IN
Enter proper value for 'Name' [Default value : CA] (VCSA-CA or FQDN) : vcsa.vcloud-lab.com
Enter proper value for 'Orgnaization' [Default value : VMware] : vcloud-lab.com
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : IT Architects
Enter proper value for 'State' [Default value : California] : MH
Enter proper value for 'Locality' [Default value : Palo Alto] : Pune
Enter proper value for 'IP Address' (Provide comma seperated values for multiple IP addresses) [optional] :  192.168.34.15, 192.168.34.20
Enter proper value for 'Email' [Default value :  email@acme.com] :  admin@gmail.com
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa, vcsa.vcloud-lab.com
Enter proper value for VMCA 'Name' : vcsa.vcloud-lab.com

In the background it uses certool to generate vmca_issued_csr.csr and vmca_issued_key.key under provided folder location /tmp/.

Type 2 to Exit Certificate-Manager.

vmware vsphere vcenter appliance importing custon certificate and key for machine SSL certificate vmca_issued_csa.csr vmca_issued_key.key csr certtool.cfg certtool vmware-vmca bin gencsr privkey pubkey.png

Download newly generated file from VCSA using winscp tool. Files are vmca_issued_key.key and vmca_issued_csr.csr from /tmp. folder.

vmware vsphere vcenter appliance vcsa winscp scp ftp sftp certificate manager vmca import export vmca_issued_key.key and vmca_issued_csr.csr ca root authority root certificate csr.png

On the Microsoft Active Directory Certificate Services http://<FQDN or ip>certsrv web site, click Request a certificate.

vmware vsphere vcenter server appliance esxi vcsa vmca root ca certsrv request a certificate web browser active directory certificate services certificate authority ca revocation lis crl.png

Choose and click submit an advanced certificate request.

vmware vsphere vcenter appliance service micrsofot active directory certificate services rootca user certificate submit an advanced certificate request request a certificate certsrv certrqus.asp vmca vcsa.png

Open vmca_issued_csr.csr in notepad, copy all the content from begin to end and copy to Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) text box. On the certificate template select earlier created template VCSA and press submit button.

vmware vsphere vcenter server appliance server microsoft active directory certificate services certsrv submit a certificate request or renewal request saved request template base64 encoded.png

Certificate is issued now, choose Base 64 encoded and download certificate (certnew.cer) and download certificate chain package (certnew.p7b).

microsoft active directory certificate services certificate issued der encoded base 64 encoded download certificate chain p7b certsrv vmware vsphere vcenter appliance vcsa vmca certificate authority.png

Downloaded certnew.p7b can not be used directly on VCSA to import. It contains Root CA certificate which I will export to .CER extension by opening it, select Root CA certificate, right click All Tasks and Export. This launches Certificate Export Wizard, Select Base-64 encoded x.509 (.CER) version, press next. From browser select directory location and give it meaning full name as rootca.cer to save certificate as .cer extension.

vmware vsphere vcenter appliance server vcsa certificate export wizard base-65 encoded x.509 (.CER) save as p7b vmware certificate authority psc vmca import certificate openssl generate ssl.png

Review settings on last page and click Finish, it should show message The export was successful.

vmware vsphere vcenter appliance certificate authority vcsa vmca certificate export wizard  completing the certificate export wizard .cer microsoft rootca intermidiate subordinate ca certificate authority.png

Upload certnew.cer and rootca.cer to VCSA using winSCP tool.

winscp scp vmware vsphere vcenter appliance vcsa server vmca vmware certificate authority certnew.cer p7b configure ssl certificate vcenter esxi server key csr files vmca_issued_csr, vmca_issued_key.png

On VCSA use command /user/lib/vmware-vcsa/bin/certificate-manager. Select option 1. Replace Machine SSL certificate with Custom Certificate, provide admin username and password. Select next option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate by typing digit 2

vcsa vmware certificate authority vmca vsphere replace machine ssl certificate with custom certificate certificate manager Import custom certificate key and csr cer ssl.png

Provide certificate file paths as below

Custom certificate for Machine SSL File:  /tmp/certnew.cer 
Custom key for Machine SSL File: /tmp/vmca_issued_key.key
The signing certificate of the Machine SSL certificate File: /tmp/rootca.cer

Press Y to continue replacing Machine SSL cert using custom cert. It will take some time for deployment, If everything is good and OK, there will be message in the last.
Updated 32 service(s)
Status : 100% Completed [All tasks completed successfully]

If you provide incorrect certificate while deployment you will see error similar to depth lookup:certificate.

vmware vsphere vcenter appliance server vcsa import custom certificate and key to replace existing machine ssl certificate microsoft root ca certificate services authority.png

After launching VCSA url in browser, below are the changes before upgrade and after upgrade. To trust the root certificate you can add the it to Trusted root certification authorities as shown in my earlier article How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi.

vmware vsphere esxi vcneter appliance server vsphere 6.7 certificate manager vmware certificate authority rootca-ca replace custom certificate ssl certificate path idetified certsrv subordinate ca renewal.png

Useful Articles
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION

Go Back



Comment

Blog Search

Page Views

2916905

Follow me on Blogarama