VMCA (VMware Certificate Authority) is a one of the components in PSC (Platform services controller) inbuilt into vCenter server 6.x. VMCA is Certificate Authority and works as same as Microsoft CA certificate. It can issue certificates to VMware components i.e. vCenter, ESXi servers. In my previous blog How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi, I have shown using existing default VMCA root certificate and how to trust it in your organization using group policy or manually. which doesn't require much efforts.
Your internal Information Security team might wants you to replace default certificate with custom certificate on vCenter appliance (vcsa) provided by your in house Certificate Authority custom certificate or 3rd party trusted SSL certificate. I have already my Microsoft RootCA PKI infrastructure configured in my environment.
I keep PSC role on same server as vCenter appliance keeping future deployment and changes in mind as per this article https://blogs.vmware.com/vsphere/2018/11/external-platform-services-controller-a-thing-of-the-past.html. To proceed with first step create new certificate template for VCSA on Microsoft certificate authority server is create, I have followed the same steps from vmware video on https://www.youtube.com/watch?v=epxR5Ow4QtU. Open Run and type certtmpl.msc, press ok.
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
If you are seeing error Certificate Template: Windows could not create the object identifier list. The specified domain either does not exist or could not be contacted. Certificate templates are not available. Right click Certificate templates and press Connect to another writable domain controller, choose a Default writable domain controller, then hit Ok.
From the Template Display Names find Web Server, right click it, choose Duplicate Template. On the properties go to compatibility tab, on the Compatibility Settings choose certificate authority as Windows Server 2008 (Version 3 Certificate), if you need more secure and encryption level higher on your cert choose higher version of OS from the list. For backward compatibility choose lower OS version.
Next on General tab give a template display name.
On the Extensions tab select Application policies, click Edit and remove Server Authentication.
Next Go to Key Usage, click check on Signature is a proof of origin (nonrepudiation) and in the last select Subject Name tab, make sure Supply in the request is selected and click Apply - OK. New Certificate template will show in the list now.
Open Server Manager, go to Tools choose Certificate Authority. On the Certificate Templates right click, go to New >> Certificate Template to Issue. Select earlier created certificate to enable in Certificate Authority by clicking OK.
Tasks on CA server are completed, For next tasks I will login to VCSA (VMWare vSphere vCenter server Appliance) using ssh tool putty. After login launch BASH on command prompt by typing shell, this Shell access is granted to root permissions.
I need SCP to work on VCSA, by running chsh -s /bin/bash root will allow winscp tool to login.
Run command /usr/lib/vmware-vmca/bin/certificate-manager and select operation Replace Machine SSL certificate with Custom Certificate by typing 1, Provide valid SSO and VC privileged user credential to perform certificate operations. Once successfully authentication happens, select option Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate by typing 1. This launches certool tool to generate key and csr.
On the CSR and Private Key generation option provide info as below which configures and creates certool.cfg.
Provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /tmp/
Enter proper value for 'Country' [Default value : US] (must be 2 character value only) : IN
Enter proper value for 'Name' [Default value : CA] (VCSA-CA or FQDN) : vcsa.vcloud-lab.com
Enter proper value for 'Orgnaization' [Default value : VMware] : vcloud-lab.com
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : IT Architects
Enter proper value for 'State' [Default value : California] : MH
Enter proper value for 'Locality' [Default value : Palo Alto] : Pune
Enter proper value for 'IP Address' (Provide comma seperated values for multiple IP addresses) [optional] : 192.168.34.15, 192.168.34.20
Enter proper value for 'Email' [Default value : [email protected]] : [email protected]
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa, vcsa.vcloud-lab.com
Enter proper value for VMCA 'Name' : vcsa.vcloud-lab.com
In the background it uses certool to generate vmca_issued_csr.csr and vmca_issued_key.key under provided folder location /tmp/.
Type 2 to Exit Certificate-Manager.
Download newly generated file from VCSA using winscp tool. Files are vmca_issued_key.key and vmca_issued_csr.csr from /tmp. folder.
On the Microsoft Active Directory Certificate Services http://<FQDN or ip>certsrv web site, click Request a certificate.
Choose and click submit an advanced certificate request.
Open vmca_issued_csr.csr in notepad, copy all the content from begin to end and copy to Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) text box. On the certificate template select earlier created template VCSA and press submit button.
Certificate is issued now, choose Base 64 encoded and download certificate (certnew.cer) and download certificate chain package (certnew.p7b).
Downloaded certnew.p7b can not be used directly on VCSA to import. It contains Root CA certificate which I will export to .CER extension by opening it, select Root CA certificate, right click All Tasks and Export. This launches Certificate Export Wizard, Select Base-64 encoded x.509 (.CER) version, press next. From browser select directory location and give it meaning full name as rootca.cer to save certificate as .cer extension.
Review settings on last page and click Finish, it should show message The export was successful.
Upload certnew.cer and rootca.cer to VCSA using winSCP tool.
On VCSA use command /user/lib/vmware-vcsa/bin/certificate-manager. Select option 1. Replace Machine SSL certificate with Custom Certificate, provide admin username and password. Select next option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate by typing digit 2.
Provide certificate file paths as below
Custom certificate for Machine SSL File: /tmp/certnew.cer
Custom key for Machine SSL File: /tmp/vmca_issued_key.key
The signing certificate of the Machine SSL certificate File: /tmp/rootca.cer
Press Y to continue replacing Machine SSL cert using custom cert. It will take some time for deployment, If everything is good and OK, there will be message in the last.
Updated 32 service(s)
Status : 100% Completed [All tasks completed successfully]
If you provide incorrect certificate while deployment you will see error similar to depth lookup:certificate.
After launching VCSA url in browser, below are the changes before upgrade and after upgrade. To trust the root certificate you can add the it to Trusted root certification authorities as shown in my earlier article How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi.
Useful Articles
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION