Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi

This is step by step guide on basic vmware certificate chain installation in the infrastructure, all the steps performed on development infra, Back from my previous project, I installed new VMware vCenter appliance 6.7 recently and few of my esxi server were already installed with self signed certificates using Microsoft CA and openssl tool. But I wanted to streamline everything with automated fashion. VMCA to help here, VCSA 6.7 comes with component called VMCA (VMware certificate authority) inbuilt into PSC (Platform services controller). 

Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

When you open VCSA web client url, by default it shows certificate error with not secure. If you open cert and read the properties it signed by unknown CA. To resolved this without any change, download VMCA root certificate chain from same webpage in the right bottom. Click on Download trusted root CA certificates

vmware workstation vsphere vmware vcenter server appliance vcsa vsphere client vsphere web client flex flash html5 download trusted root ca certificates ca openssl cert.png

Inside the zip file, we will need CRT extension file located under path location certs\win. Extract it

winrar, vmware vsphere powershell, vcenter esxi download.zip crt crl seucurity certificate Certificate revocation list vcenter vmware certificate authority openssl.png

I am using below PowerShell script to extract required file. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
function UnZip-File {
    [CmdletBinding(SupportsShouldProcess=$True,
        ConfirmImpact='Medium',
        HelpURI='http://vcloud-lab.com',
        
    )]
    param (
        [parameter(Position=1, Mandatory=$True, ValueFromPipelineByPropertyName=$true)]
        [alias('ZipPath')]
        [String]$ZipFile = "$env:USERPROFILE\Downloads\download.zip",
        [parameter(Position=2, Mandatory=$True, ValueFromPipelineByPropertyName=$true)]
        $Filter = '*.crt',
        [parameter(Position=3, ValueFromPipelineByPropertyName=$true)]
        $OutputPath = 'C:\Temp\Certs'
    )

    $exists = Test-Path -Path $OutputPath
    if ($exists -eq $false)
    {
      $null = New-Item -Path $OutputPath -ItemType Directory -Force
    }

    Add-Type -AssemblyName System.IO.Compression.FileSystem
    $zip = [System.IO.Compression.ZipFile]::OpenRead($ZipFile)

    $foundFiles = $zip.Entries | Where-Object {$_.Fullname -like $Filter}
    foreach ($file in $foundFiles) {
        [System.IO.Compression.ZipFileExtensions]::ExtractToFile($file,"$OutputPath\$($file.Name)",$true) 
    }

    $zip.Dispose()
}

Run above script once, after that execute below command to extract CRT file to Output path.

UnZip-File -ZipFile <Path\Zip> -Filter <*.ext> -OutputPath <Path>

Next command Imports certificate to local computer's Certificates MMC under location Trusted Root Certification Authorities\Certificates, Once import is successful you can verify it on the gui mmc. If you want to escape below step and want to push install chain certificate on your entire infrastructure use my previous article Push SSL certificates to client computers using Group Policy.

Import-Certificate -FilePath <CRT file path> -CertStoreLocation Cert:\LocalMachine\Root

Powershell unzip-file import-certificate certstorelocation, local machine computer trusted root certificate authorities certificate cert vmware vsphere vcenter vmca vcsa esxi rootca.png

This onetime step is completed, close and reopen vCenter url in browser, this time connection will be show secure with Certificate (valid), and on the cert path it shows proper chain with hierarchy path.

vmware vcsa vcenter appliance vsphere vmware certificate authority valid certificate chain path, esxi renew refresh ca cert, microsoft root ca connection is secure, vmware vsphere trust.png

Adding esxi host to vCenter virtual datacenter has its own benefit, the very first in effect is, when you add ESXi host to vCenter, Esxi self signed certificate will be automatically replaced by VMCA signed certificate on ESXi host. In case if you have upgraded vCenter from lower version and after upgrade somehow esxi certificate is not refreshed, you can do it by Right clicking from virtual datacenter on ESXi server and then on context menu actions select Certificates and click Refresh CA Certificates. If certificate is about to expire, you can renew it using Renew Certificate.

vmware vsphere vcenter appliance vcsa esxi server Certificate refresh CA certificates, renew certificate, openssl microsoft ca server vmca vmware certificate authority no maintenance mode.png

Lunch ESXi ui web access in browser and review the new certificate settings, It is signed by VMware CA now.

vmware vsphere vcenter server esxi login in wbsite identification, vmca vmware certification authority CA plo alto, anlifonia rootca replace cert self-signed.png

Useful Articles
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION

Go Back

Comment

Blog Search

Page Views

2984792

Follow me on Blogarama