30 Apr How To Replace VCenter SSL Certificates With A Microsoft Internal CA (Complete CLI Guide)

Posted at 13:31h in Certificates, vCenter by

Replace vCenter SSL certs using Microsoft CA via CLI. Fix browser warnings and secure your environment with this step-by-step guide.

Prerequisites

  • A server with CA role installed and configured.

Create Template

On the CA server run certtmpl.msc or open an MMC and add Certificate Templates Snap-in.



Click on Certificate Templates (your CA Server) to show all the available templates. Then right-click on Web Servers and select Duplicate Template.



On the Properties window under the Compatibility tab set Certificate Authority to Windows Server 2012 and Certificate recipient to Windows 7 / Server 2008 R2. Click OK on the windows that opens to confirm the changes.

Click on the General tab and change the name in the Template display name field to suit your environment. Change the Validity period if needed.



NOTE: ESX Host require different Application Policies. If you want to use the same template for vCenter and ESX Host skip down to the next section where Server and Client Authentication are both added.

Click on the Extensions tab, then select Application Policies and click Edit…. Then select Server Authentication and remove it then click OK (If Client Authentication is present, remove it as well).



For ESX Host we need Server and Client Authentication. If you duplicated a Web Server Template, Server Authentication should already be in Application Policies. We need to click the Add… button and add Client Authentication as well, then click OK.

Click on Basic Constraints then click Edit…, check the box for Enable this extension then click OK.



Click on Key Usage and click Edit…. Then check the box next to Signature is proof of origin (nonrepudiation) and click OK.



Click the Subject Name tab and confirm you selected Supply in the request. If not select it then click OK to save the template.



NOTE: If you plan on using Omnissa Horizon Connection Servers for VDI’s and want to be able to use the same template you need to make sure that the Private Key is exportable. You can do this during the request, or configure the template to allow it.  Here’s how.  Click the Request Handling tab, check the box for Allow private key export, and click OK.



One other setting for use with Horizon Connection servers. Under the Security tab check the Allow box next to Enroll for Authenticated Users.



Adding the New Template to Certificate Templates

Run certsrv.msc or add the Certificate Authority snap-in to your mmc console and click OK.



Expand down into your CA until you see the Certificate Templates folder. Then right-click it and select New > Certificate Template to Issue.



Find the template you just created in the list and select it then click OK.



The template now appears in the list of available templates, and you can use it to create SSL certificates for VMware appliances and hosts.



Generate a vCenter Server CSR using Certificate Manager tool from CLI

Using Putty or your tool of choice, SSH into your vCenter server with root.  If you see Command> then type shell and you should see it change to root@vCenter Name [ ~ ]#.  Before we run the Cert Manager tool, we need to create a directory to save the CSRs.  Type the following and press Enter.

mkdir /tmp/cert

To enter Certificate Manager run this command:

/usr/lib/vmware-vmca/bin/certificate-manager

Then select option 1. After entering credentials, select option 1 again to generate certificate signing request(s) and key(s) for the machine SSL certificate.


For the Output directory path we are going to use the directory we created above.  Enter /tmp/certs and press Enter.

At this point we will start filling out the CSR with the appropriate information for your environment. Use the following table/screenshot as a guide.

PropertyValue
CountryLeave Default for the US or change it to your own country.  Only two letters are allowed.
NameFQDN of vCenter Server Example, vcsa223.nested.local
OrganizationDefault, specify own. For example, ChrisAllenPope
OrgUnitOptional
State and LocalitySpecify your State and City (Locality) Example, Alabama
IPAddressIP address of the vCenter Server
EmailEmail address
HostnameFQDN of vCenter Server Example, vcsa223.nested.local
VMCA NameFQDN of vCenter Server Example, vcsa223.nested.local

We confirm our CSR succeeded and named it vmca_issued_csr.csr in the certs directory. Enter 2 and press Enter to exit Cert Manager.



Now run the following command.

cd /tmp/certs

This will change directories to the certs directory we created. Once there type
ls
and we can see two files, vmca_issued_csr.csr and vmca_issued_key.key.

Now use an app like WinSCP to FTP into your vCenter and move those two files to your local machine.  If you use WinSCP and receive an error message that starts with Received too large, there is a Broadcom KB that gives the fix. Once you get into your FTP program of choice, find those two files and copy them to a folder on your local PC.


Submitting the CSR to your Microsoft CA using the Web Interface

Navigate to http://yourCA/certsrv and click on Request a certificate.



Click on advanced certificate request.



Open the vmca_issued_csr.csr file with Notepad and copy its contents. Be sure to not copy any extra spaces at the beginning or end.



Paste what you copied into the Saved Request: box. Then select your VMware SSL template that you created earlier and click Submit.



On the next page, select Base 64 encoded and click Download certificate.



You can open the certificate and click on the Certification Path tab to view it if you want.



VCSA needs a chain that contains the root and any intermediate CA certs. So we need to go back to the homepage of Certificate Services and click on Download a CA certificate. This will let us download the certificate from our root CA.



On the next page, ensure you select your Root CA under CA certificate. Check the bubble for Base 64 then select Download CA certificate.



After downloading, it’s a good idea to rename the certs so you can keep up with them.  I’ve renamed the root cert “AD222-Root” and our vCenter cert as “VCSA223”.



Constructing the Single Full Chain Certificate File for vCenter

In most production environments you will have three separate certs you are combining into one file. The vCenter Cert we created above, the Root CA cert, and the Intermediate Cert.  It should look like the image below.



To build the chain, open a new blank Notepad and save it as VCSA223-Chain.cer or something similar.

  • In another tab or window, open the vCenter cert file with Notepad and copy its contents, then paste it into VCSA223-Chain.
  • In another tab or window, open the Root cert file with Notepad and copy its contents, then paste it into VCSA223-Chain directly under the vCenter cert that you just pasted.
  • If you have an Intermediate CA cert, open it in Notepad and copy its contents and paste it at the bottom of VCSA223-Chain.
  • When you finish you should have something like the following screenshot.

IMPORTANT!  Save the chain.cer that you just created.  It’s easy to leave it open and move on to uploading your certs and forget to save it with the changes made to it.

Upload Certs to vCenter

Now that we have the cert files we need, we can upload them to vCenter. I use WinSCP to upload the following three files

  • AD222-Root.cer – This will contain the Root CA followed by the Intermediate CA if you are using one.
  • VCSA223-Chain.cer – This contains the full chain. Machine Cert (vCenter), Root CA, and Intermediate CA.
  • VCSA223.key – We generated this private key during the CSR request. Originally it got named vmca_issued_key.key.  I renamed it to VCSA223.key.

We can use the /tmp/certs directory we created earlier, but as it’s in the tmp directory, it could be removed. To keep the cert files on the vCenter, I’m creating a new directory called certs under Root. Then upload the three files into that directory using WinSCP or your FTP app of choice.



Import and Replace Self-Signed Certs with Custom CA Certs using vCenter Certificate Manager

Open Putty and SSH into the vCenter server and enter:

/usr/lib/vmware-vmca/bin/certificate-manager

Select Option 1 – Replace Machine SSL certificate with Custom Certificate. Enter credentials when prompted, then select Option 2 – Import Custom Certificate (s) and key(s) to replace existing Machine SSL Certificate.

  • Now we need to enter the location of our certs.
  • First is the Machine SSL Certificate which in our case will be
    /root/Certs/VCSA223-Chain.cer
  • Next is the Private Key for the Machine SSL Certificate
    /root/Certs/VCSA223.key
  • Last is Signing Certificate or your Root and Intermediate CA
    /root/Certs/AD222-Root.cer


After inputting all the file paths you’ll be prompted to continue, type “y” and press Enter. Services will be stopped while the certs are replaced and then restarted. Once it’s done you will see “100% completed [All tasks completed successfully].



Now when you navigate to vSphere you will see that your connection is secure in the address bar. When you view the certificate information you can see that vCenter is now using our new CA signed certificate.


Tags:
, , , ,
Print page
1 Like
Chris Pope
[email protected]

Certified Senior Virtualization Engineer with over 13 years of experience designing, deploying, and optimizing VMware and Omnissa environments across secure DoD and NATO systems. Adept at streamlining hybrid cloud operations, executing complex P2V migrations, and enhancing disaster recovery. Skilled communicator who simplifies complex technology for users and teams.

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.