The vSphere Certificate Manager Utility is a command-line utility that allows for most certificate management tasks to be performed interactively by the administrator. The utility prompts for which task to perform, for any additional information, and then automatically stops and starts services, ultimately replacing the certificates.
Regenerating a new VMCA root certificate and replacing all certificates is useful in the event that the certificates have expired or compromised and new certificates need to be issued to the different vSphere components.
To begin:
/usr/lib/vmware-vmca/bin/certificate-manager
(for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager
) and press Enter.4. Regenerate a new VMCA Root Certificate and replace all certificates
by pressing 4 and then Enter. (Optionally, option 8. Reset all Certificates
may also be chosen.)
[email protected]
) password (this is defined during installation).certool.cfg
file.Enter proper value for 'Country' [Previous value: US]:
Enter proper value for 'Name' [Previous value: Acme]:
Enter proper value for 'Organization' [Previous value: AcmeOrg]:
Enter proper value for 'OrgUnit' [Previous value: AcmeOrg Engineering]:
Enter proper value for 'State' [Previous value: California]:
Enter proper value for 'Locality' [Previous value: Palo Alto]:
Enter proper value for 'IPAddress' [optional]:
Enter proper value for 'Email' [Previous value: [email protected]]:
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name (FQDN), For Example : example.domain.com]:
Y
to confirm the request in order to proceed.
The completion of this task will result in a replacement of the VMCA root certificate with a new certificate and newly issued replacement certificates for each of the solution users.
This section will cover configuring the VMCA as a subordinate certificate authority. The procedure entails the VMCA importing a root signing certificate from a trusted enterprise root CA, therefore making the VMCA a subordinate CA to the enterprise root CA.
To begin this process:
/usr/lib/vmware-vmca/bin/certificate-manager
(for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager
) and press
Enter.2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates
by pressing 2 and then Enter.
[email protected]
).
1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
. This will generate the private key (the .key
file) and the certificate signing request ( the .csr
file). The .csr
file is needed for the certificate authority to grant a certificate.
/cert/
(a custom-made directory for this specific purpose).
Done running command
, as demonstrated in the previous screenshot. Minimize, but do not close, this session as it will be used again later..csr
and .key
files. Copy the .csr
file to a directory on your desktop. Leave the .key
file as it will be needed later on.
https://<CA FQDN>/certsrv
and click on the Request a certificate link.
.csr
file using Notepad or a similar application. Copy the contents of the .csr
file. The contents of a .csr
file are demonstrated in the following screenshot:
.csr
file into the Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) section. Under the Certificate Template section, select the dropdown and choose the Subordinate Certification Authority option. No attributes should be added. Click on the Submit button when finished.
.cer
file. First, copy the contents of the certificate that was just downloaded and then follow it with the root CA certificate contents. Save this file as root_signing_chain.cer
or something similar, just ensure that .cer
is the file extension. An example of this is demonstrated in the following screenshot:
1. Continue to importing Custom certification(s) and key(s) for VMCA Root Signing certificate
option and hit Enter..cer
and .key
files. Enter Y to replace the certificates.
certool.cfg
file:
https://<PSC FQDN>/websso/
. From here, open the certificate properties for the site by clicking on the lock icon at the top of the navigation bar.
It may be required by security policy to use CA (other than VMCA) signed certificates for the vSphere components. The Certificate Manager Utility can be used to replace the solution user certificates.
To get started:
/usr/lib/vmware-vmca/bin/certificate-manager
(for a Windows vCenter Server, this is located at C:Program FilesVMwarevCenter Servervmcadcertificate-manager
) and press
Enter.5. Replace Solution user certificates Custom Certificate
by pressing 5 and then Enter.[email protected]
) password. Select 1. Generate Certificate Signing Request(s) and Key(s) for Solution User Certificates
by pressing 1 and pressing Enter. /cert/
.Done running command
.
https://<CA FQDN>/certsrv
). To begin, select Or, submit an advanced certificate request
.
.csr
file. In the following example, machine.csr
was opened in Notepad. Select all and copy the contents of this file as it will be used in the certificate request.
.csr
file into the section labeled Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7). Leave all attributes as default.
.cer
extension.
.cer
files into a directory accessible by the PSC.1. Continue to importing Custom certificate(s) and key(s) for Solution User Certificates
by pressing 1 and then Enter.Please provide valid custom certificate for solution user store: machine
File: /tmp/ssl/machine.cer
Please provide valid custom key for solution user store: machine
File: /tmp/ssl/machine.key
Please provide valid custom certificate for solution user store: vpxd
File: /tmp/ssl/vpxd.cer
Please provide valid custom key for solution user store: vpxd
File: /tmp/ssl/vpxd.key
Please provide valid custom certificate for solution user store: vpxd-extension
File: /tmp/ssl/vpxd-extension.cer
Please provide valid custom key for solution user store: vpxd-extension
File: /tmp/ssl/vpxd-extension.key
Please provide valid custom certificate for solution user store: vsphere-webclient
File: /tmp/ssl/vsphere-webclient.cer
Please provide valid custom key for solution user store: vsphere-webclient
File: /tmp/ssl/vsphere-webclient.key
Please provide the signing certificate of the Solution User Certificates
File: /tmp/ssl/Root64.cer
Once this has finished, the ESX agent manager must be updated.
For more information see VMware KB 2112577 at http://bit.ly/2cN8SXS.
3.143.214.230