Process to Update the Machine SSL certificate or generate a certificate signing request:
Note: In vSphere vCenter 7.x, in the user interface, you can update the Machine SSL certificate or generate a certificate signing request by going to
- Menu > Administration > Certificates > Certificate Management.
In the
Machine SSL Certificate section, select the
Actions pull-down menu.
For more information, refer:
Managing Certificates with the vSphere ClientNote: In Windows, you must be logged in as an administrator or "Run as Administrator" if user access control is enabled.To launch the
vSphere Certificate Manager, execute the following commands:
- Windows vCenter Server: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
- vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
When you run the certificate-manager command, you are presented with the 8 options as shown in the screenshots for Windows and appliance respectively.
Details of the Options:
Option # | Detail | Required Information |
1 | Replace the Machine SSL certificate with a Custom CA Certificate Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. |
- [email protected] password.
- Path to a custom Certificate and Key for the Machine Certificate.
- Path to a custom Certificate for the VMCA Root
|
2 | Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates. This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. |
Optional Information:
Do you wish to replace all Solution User certificates with custom CA?
-
YES: Paths to the custom Certificates and Keys for the Solution Users (vpxd, vpxd-extension, vsphere-webclient, machine).
Note: You can also perform this step later using Option 5.
Note: You can also perform this step later using Option 6.
Do you wish to replace Machine SSL Certificate with custom CA?
Note: You can also perform this step later using Option 1.
- NO: VMCA will generate a new Certificate/Key for Machine using the provided Custom CA Signing Certificate.
Note: You can also perform this step later using Option 3.
|
3 | Replace the Machine SSL certificate with a VMCA Generated Certificate |
- [email protected] password
- Configure the certool.cfg file (used by VMCA when generating certificates)
|
4 | Regenerate a new default VMCA Root Certificate and Replace all Certificates |
- [email protected] password
- Configure the certool.cfg file (used by VMCA when generating certificates)
|
5 | Replace the Solution User Certificates with Custom CA Certificates |
- [email protected] password
- Path to the custom Root CA Certificate
- Path to the custom Certificate and Key for vpxd Solution User
- Path to the custom Certificate and Key for vpxd-extension Solution User
- Path to the custom Certificate and Key for vSphere-webclient Solution User
- Path to the custom Certificate and Key for machine Solution User
- If vCenter Server is 7.0, the path to the Custom Certificate and Key for hvc & wcp Solution Users
|
6 | Replace the Solution User Certificates with VMCA generated Certificates |
|
7 | Revert last performed operation by re-publishing old certificates |
|
8 | Reset all certificates |
- [email protected] password
- Configure the certool.cfg file (used by VMCA when generating certificates)
|
Note 1: If you are replacing the machine SSL certificate on vCenter Server Appliance 6.x, the VMware Appliance Management Interface (VAMI, accessed through port 5480) certificate will not be updated automatically. Please proceed with the following KB article to perform the necessary changes on VCSA 6.x to allow VAMI to use the correct certificate.
2136693Note 2: The Certool.cfg is located at:
- C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
- Configuration file locations in vCenter Server Appliance and Platform Service Controler Appliance(External PSC):
- vCenter Server Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg
- External Platform Service Controller Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg
The default configuration of certool.cfg should look like the following Screenshot:
If the PNID on the vCenter is unknown, it can be obtained with this command for Windows or the VCSA respectively:
- Windows vCenter Server 6.x:
"C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-pnid --server-name localhost
- vCenter Server Appliance 6.x/7.x:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost