vCenter Server 6. - Replacing SSL certificates with custom VMCA logo

In earlier post How to replace VMware ESXi 6.* SSL certificate I described how to replace VMware ESXi 6.* SSL certificate. This post will focus on replacing SSL certificates with Custom VMCA in vCenter Server 6.* on Windows.

Prerequsites

VMCA topologies

I am not going to copy&paste VMware documentation – it is easier to read it. Below you will find a list of interesting documentation (in my opinion of course) to read:

Today we will use VMware Certificate Authority (VMCA) in custom topology. This means VMCA will be used only to store certificates for all vCenter Server solutions and all certificate replacement has to be done manually.

Replacing SSL certificates with custom VMCA

Replacing vCenter Server machine_ssl certificate

  1. Login to vCenter Server and start command line.
  2. In command line go to directory where you installed vCenter Server 6.*. In my case it is default directory: C:\Program Files\VMware\vCenter Server\vmcad\.
  3. Start tool called certificate-manager and select operation 1.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 1
  4. Provide valid SSO password and hit Enter. Choose Operation 1 – Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate and hit Enter.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 2
  5. Enter directory path where CSR and private key will be saved. For simplicity I created directory C:\SSL.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 3
  6. Certificate Signing Request and private key to machine_ssl was generated successfully.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 4
  7. I am not going to bore you to death by approving all certificates and documenting it. Check my earlier post where I did it – How to replace VMware ESXi 6.* SSL certificate.
  8. Once certificate is signed and saved to local disk we return to certificate-manager tool to replace certificates. Click 1 and hit Enter.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 5
  9. As requested provide path to certificate, certificate signing request and root certificate authority certificate. Hit Enter and select Y to continue operation of replacing machine_ssl certificate.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 6a
  10. Certificate manager will replace machine_ssl certificate and restart vCenter Server services. It takes a while to do it so do not worry. If everything was configured correctly operation will succeed.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 7

Replacing vCenter Server solution user certificates (machine, vpxd, vpxd-extension, vsphere-webclient)

We will continue with replacement of other certificates.

  1. Start certificate manager and select option 5 – Replace Solution user certificates with Custom Certificate.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 8
  2. Provide valid SSO password and hit Enter.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 9
  3. Select option 1 to generate CSRs and provide directory location where CSRs will be saved.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 10
  4. Sign all CSRs in your certificate authority – see How to replace VMware ESXi 6.* SSL certificate link.
  5. Once signed we can start to replace all solution user certificates.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 11
  6. Return to certificate manager and choose option 1 to continue certificate replacement. Provide path to all certificates, private keys and root certificate authority certificate.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 12
  7. Hit Enter and select Y to continue. vCenter Server solution user certificates will be stopped and vCenter Server services will be restarted. Once completed we finished our task to replace vCenter Server SSL certificates.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 13
  8. To check if certificate was replaced successfully simply check certificate in vSphere Web Client.
    vCenter Server 6. - Replacing SSL certificates with custom VMCA - 14

Additional tasks

One of the most important things to change right after replacing certificates is to change vCenter Server certificate mode from default vmca to custom. In order to do that follow VMware documentation: Change the Certificate Mode. If you will not change it you will have problems with High Availability – in short words, vCenter Server will not trust your ESXi hotsts SSL thumbprints and HA will not work.

This is what you will see in HA information field.
vCenter Server 6. - Replacing SSL certificates with custom VMCA - 15

From my experience there are several things that you have to be really careful about:

  • Correct template of certificate in your certificate authoriy
  • Certificate authority can’t overwrite any field in certificate. If it will be done vCenter Services will not start properly.
  • You will not see vsphere-webclient certificate SSL certificate browser. This is ok – by design machine_ssl certificate is used as reverse proxy. Read more: Where vSphere 6.0 Uses Certificates.

Rate this post
Wojciech Marusiak
Social Media

Wojciech Marusiak

Consultant at VMware Global, Inc.
I am innovative and experienced VMware and Windows Server Engineer with over 10 years in the IT industry specializing in VMware virtualization and Microsoft Server environment.

My experience and skills has been proven by leading vendor certifications like VMware Certified Advanced Professional 5 – Data Center Administration, VMware Certified Advanced Professional 5 – Data Center Design, VMware Certified Professional 6 - Data Center Virtualization, VMware Certified Professional 6 - Network Virtualization, Microsoft MCITP Server Administrator, ITIL V3, VMware vExpert 2014, 2015, 2016 and 2017 Award.

My blog wojcieh.net - was voted #50 in TopvBlog 2016 contest!
Wojciech Marusiak
Social Media