01 May How to Replace vCenter SSL Certificates Using the GUI

Do you have proper SSL certificates on vCenter? You may have seen my walkthrough where we did this with CLI, but some people are more comfortable using the GUI.  I’m going to omit creating a template and adding it to the certificate templates and go straight into generating the CSR.  If you need to create a temple click HERE and follow the first part of the walkthrough to get your template setup and added to your Microsoft CA.

Prerequisites

• A server with CA role installed and configured.
• This should not be done on a vCenter managed by SDDC. This walkthrough is intended for stand-alone vCenter Servers.
• Snapshot or backup the vCenter VM (especially if you’re not using VCSA CLI with confidence).
• Use VMware Certificate Manager or VECS CLI, it manages services and trust properly if done right.
• If using Custom CA-signed certs, ensure all vCenters trust the issuing CA.
• Propagate trust: You may need to manually import the new cert or the CA chain into the VECS store on the peer vCenters.

Generate a vCenter Server CSR Using the GUI

Login to your vCenter Server with an account that has admin rights. In the top left corner click the hamburger menu (three horizontal lines) to open the menu and click on Administration.

Once in Administration look at the very bottom on the left under Certificates and click on Certificate Management. In the center of the screen look for Machine SSL Certificate and click the Actions drop down to expand it, then click Generate Certificate Signing Request (CSR).

The Generate CSR window opens, and we can start filling out the CSR with the appropriate information for your environment. The following table / screenshot can be used as a guide.  Once filled out click Next.

Property	Value
Common Name	FQDN of vCenter Server Example, vcsa223.nested.local
Organization	Default, specify own. For example, ChrisAllenPope
Organizational Unit	Optional
Country	Leave Default for the US or change it to your own country.  Only two letters are allowed.
State/Province and Locality	Specify your State and City (Locality) Example, Alabama
Email	Email address
Host	FQDN of vCenter Server Example, vcsa223.nested.local
Subject Alternative Name	This is optional, but Chromium based browsers don’t like this to be left blank.  FQDN of vCenter Server Example, vcsa223.nested.local
Key Size	This can be left at the default or changed to meet your environments requirements.

Now we can copy or download our CSR. I suggest downloading it so you can click Finish to close out the Generate CSR.

Submitting the CSR to your Microsoft CA using the Web Interface

Navigate to http://yourCA/certsrv and click on Request a certificate.

Click on advanced certificate request.

Open the .csr file you downloaded with Notepad and copy its contents, being sure to not include any extra space at the beginning or end.

Paste what you copied into the Saved Request: box, then select your VMware SSL template that you created earlier and click Submit.

On the next page, select Base 64 encoded and click Download certificate.  Save it then open the folder it downloaded to and rename it with a memorable name.  I’m using the name of the vCenter, so vcsa223.cer.

VCSA needs a chain that contains the root and any intermediate CA certs, so we need to go back to the homepage of Certificate Services and click on Download a CA certificate to get a certificate from our root CA.

In my lab environment I don’t have an intermediate CA but in a production environment everything you would have just done would have been in an intermediate CA so the steps are the same.

On the next page, make sure your root CA is selected under CA certificate, check the bubble for Base 64 then select Download CA certificate.

After downloading it’s a good idea to rename the certs so you can keep up with them. I’ve renamed the root cert “AD222-Root.cer” and our vCenter cert as “vcsa223.cer”.

Constructing the Full Chain Certificate

The GUI process here varies from the CLI.  If you’ve ever done this with CLI then you know we need to have the vCenter cert, root cert, and intermediate cert in one file.  With the GUI we are going to have two files, the vCenter cert and the chain which will be your root CA cert and your intermediate CA cert.

To build the chain, open a new blank Notepad and save it as AD222-Chain.cer or something similar.

• In another tab or window, open the Root cert file with Notepad and copy its contents, then paste it into AD222-Chain.
• If you have an Intermediate CA cert, open it in Notepad and copy its contents and paste it at the bottom of AD222-Chain. Note: Im my lab I don’t have an intermediate CA, so I don’t have a chain.cer file.  I would just upload my root CA as the second file.
• When you finish you should have something like the following screenshot.
  
  
  

Import and Replace Certificate

Back in vCenter, click Actions and select Import and Replace Certificate.

In the Replace Certificate window select ‘Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded)’ and click Next.

Under Machine SSL Certificate, select Browse File and navigate to the vcsa223.cer file. Do the same under Chain of trusted root certificates.  Once your certs are in place click Replace.

Now we see a message about our connection timing out. This is expected as the services are restarted to pull in the new cert.  Click the Login button to log back into vCenter.

Once you log back in click on View Details under the Machine SSL Certificate and you will see your updated SSL cert.

If your browser still shows your site as Not secure, close your browser then log back into vCenter. The Not secure warning should be gone and if you check the cert, you will see your new cert has been imported.

This method may be easier for some users who are not as comfortable working via the command line.  I personally prefer the CLI over the GUI.  Maybe one day VMware can get the GUI to work as smoothly as CLI for certificate management, but I personally don’t think they are there yet.