Replacing default certificates with CA signed SSL certificates in vSphere 6.x
search cancel

Replacing default certificates with CA signed SSL certificates in vSphere 6.x

book

Article ID: 343739

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides information on implementing Certificate Authority (CA) signed SSL certificates in a vSphere 6.x environment. VMware has pre-packaged the vSphere Certificate Manager utility to automate the replacement process. For more information, see these articles before proceeding:
Note: This article is specifically for vSphere 6.x. For earlier versions, use these links:


Environment

VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x

Resolution

VMware has greatly reduced the complexity by implementing the VMware Certificate Authority (VMCA) and the VMware Endpoint Certificate Store (VECS). For more information about the VMCA and VECS, see these articles:
This article provides documentation links to provide guidance on configuring certificates on vSphere components in an environment. This article also assumes that all components are installed and running currently with VMware-signed or third party CA-signed certificates.
 
Note: VMware does not support the use of wildcard certificates.
 
Ensure that you validate each step given here. Each step provides instructions or a link to a document that provides information on configuring the certificates in your environment.

Core vSphere components

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller. For more information, see Understanding and using vSphere 6.x Certificate Manager (2097936).

With this release, VMware has provided customers with 2 ways to implement third-party CA-signed certificates. Customers may choose to utilize VMCA of the Platform Services Controller and replace it with a signing certificate from their own Private Key Infrastructure (PKI) to allow it to act as a subordinate CA for their vSphere environment. Customers may also choose to not use the VMCA, and to simply replace their certificates from their own PKI.

Replacing Certificates without</u> using VMCA of the Platform Services Controller

For more information, see:

 

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
  2. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  3. Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
  4. Replacing the vSphere 6.x Solution Users certificates with a Custom Certificate Authority signed certificates (2112278)
  5. After replacing the vCenter Server certificates in VMware vSphere 6.x, the ESX Agent Manager solution user fails to log in (2112577)
  6. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
     

Replacing VMCA of the Platform Services Controller with a Subordinate Certificate Authority Certificate

For more information, see:

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
  2. Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority (2147542)
  3. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  4. Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)
  5. Replacing the vSphere 6.x Solution User certificates with VMware Certificate Authority issued certificates (2112281)
  6. After replacing the VMware vCenter Server certificates in VMware vSphere 6.x, the VMware vSphere Auto Deploy solution user fails to log in (2123631)
  7. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
  8. Adding a VMware vSphere ESXi host to VMware vCenter Server 6.x fails with the error: Signed certificate could not be retrieved due to a start time error (2123386)
Note: After replacing the SSL certificates on the Platform Services Controller, during the installation of vCenter Server, this continues to report VMware-signed certificates. This is an expected behavior. For more information, see Installing or upgrading vCenter Server 6.x using an external Platform Service Controller prompts the user to accept the Platform Services Controller Certificate (2111574).

Regenerate certificates issues by VMCA of the Platform Services Controller

For more information, see:

 

Peripheral vSphere components

Replace the vSphere Update Manager Certificates. For more information, see Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)


Additional Information

For more information, see Using the vSphere Certificate Manager Utility section in the vSphere Security guide for vSphere 6.0 and these articles:

 

  • Replace Machine SSL Certificate with Custom Certificate section in the vSphere Security guide
  • Replace Solution User Certificates with Custom Certificates section in the vSphere Security guide
  • Certificate Replacement in Large Deployments section in the vSphere Security guide
  • Managing Certificate Revocation section in the vSphere Security guide
For customers seeking to clear the browser warning within their vSphere 6.0 environment, but want to forgo replacing their certificates, see How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294).
Implementing CA signed SSL certificates with vSphere 5.0
Implementing CA signed SSL certificates with vSphere 5.x
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5
How to use vSphere 6.x Certificate Manager
How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings
vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
Installing or upgrading vCenter Server 6.0 using an external Platform Service Controller prompts the user to accept the Platform Services Controller Certificate
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0
Obtaining vSphere certificates from a Microsoft Certificate Authority
Configuring the vSphere 6.0 U1 or earlier VMware Certificate Authority as a Subordinate Certificate Authority
Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate
How to replace the vSphere 6.0 Solution User certs with CA signed certs
Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate
How to replace the vSphere 6.0 Solution User certs with VMCA issued certs
How to regenerate vSphere 6.x certificates using self-signed VMCA
ESX Agent Manager solution user fails to log in after replacing the vCenter Server certificates in vSphere 6.0
vSphere 6.x におけるデフォルト証明書の CA 署名付き SSL 証明書への置き換え
"Signed certificate could not be retrieved due to a start time error" when adding ESXi host to vCenter Server 6.0
After replacing the VMware vCenter Server certificates in VMware vSphere 6.0, the VMware vSphere Auto Deploy solution user fails to log in
Substituindo os certificados padrão por certificados SSL assinados por CA no vSphere 6.0
Reemplazar certificados predeterminados por certificados SSL firmados por CA en vSphere 6.0
在 vSphere 6.0 中使用 CA 签名的 SSL 证书替换默认证书
Ersetzen von Standardzertifikaten durch von einer Zertifizierungsstelle signierte SSL-Zertifikate in vSphere 6.0
Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority

Powered by Wolken Software