WH | it system administration

winnis knowledge base

kb

VMWare/VSphere Change Certificate with self-signed

winni

1.) Enable WinSCP access to vcenter appliance

  • Login into VCenter Appliance through putty
  • on CLI enter shell
  • Run chsh -s /bin/bash root = ENABLES bash for WinSCP otherwise you will get an error message | chsh -s /bin/appliancesh root = DISABLES bash 

2.) Add Certifcate Chain from your CA to the trusted certificated store of the VCenter Appliance

  • Open your ca root and your ca intermediate cert in notepad
  • Create a new file named for example: Fullchain.cer
  • Insert there the values from your ca root and ca intermediate cert. First ca root and directly after the value from intermediate.
  • Safe this file and transfer it to your VMWare VCenter Appliance –> for example at /tmp/ location
  • Connect to vsphere appliance through putty
  • Insert the new created Fullchain.cer to the vmware trusted store –> /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish –chain –cert /tmp/Fullchain.cer

3.) Generate a CSR

  • Login into VCenter Appliance through putty
  • on CLI enter shell
  • Run /usr/lib/vmware-vmca/bin/certificate-manager
  • Option 1 (Replace Machine SSL certificate with Custom Certificate)
  • Enter the Username and Password from the Administrator@vsphere.local account
  • Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
  • Specify output directory –> example: /tmp/
  • Specify the other certifcate options (Name – FQDN of vcenter server, country, organization, orgunit, state, locality, ipaddress you could leave empty, email, you could leave empty, hostname – FQDN of vcenter server, VMCA Name – FQDN of vcenter server)
  • Now a csr and key file (vmca_issued_csr.csr and vmca_issued_key.key) are generated under /tmp/
  • Transfer the csr to your ca and generate a certificate for exampe as vcenter.cer

4.) Import Certificate to VCenter Appliance

  • Transfer this certifcate to the vcenter appliance for example into the /tmp/ directory.
  • Transfer your root CA (example RootCA.cer) to the vcenter appliance for example into the /tmp/ directory.
  • Now in /tmp/ should be 4 files.  First:Fullchain.cer (Which we have created in Step1 which contains the whole certificate chain) Second:Your new created certificate vcenter.cer which you have transfered already Third:vmca_issued_key.key which was created with the csr Fourth:Your transfered root CA certificate
  • Login into VCenter Appliance through putty
  • on CLI enter shell
  • Run /usr/lib/vmware-vmca/bin/certificate-manager
  • Option 1 (Replace Machine SSL certificate with Custom Certificate)
  • Enter the Username and Password from the Administrator@vsphere.local account
  • Option 2 (Import custom certificate(s) and key (s) to replace existing Machine SSL certificate
  • Provide custom certificate: /tmp/vcenter.cer
  • Provide custom key: /tmp/vmca_issued_key.key
  • Provide the signing certificate: /tmp/RootCA.cer
  • You are going to replace Machine SSL cert using custom cert. Continue operation: Y

Now it will take a little time to complete and you can see the message:  Status: 100% Completed [All tasks completed successfully]. 

If you see this you can open your vcenter appliance in your browser through the specified url and should not get any certificate error.

This site helped me: https://vmarena.com/replace-vcsa-6-7-certificate-vmca-by-an-adcs-signed-certificate/

You May Also Like

VMware | ESXi Host SNMP access v2c

winni

VMware | Install vCLI at Redhat/Centos to check with Nagios

winni

VMware | ESXi SNMP and esxcli Querys OID (CPU | Memory | Memory USED | Version | Uptime | NIC)

winni