Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a VMware vSphere 6.x Machine SSL certificate with a Custom Certificate Authority (CA) Signed Certificate:

Notes:

If you have a vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
If you have a vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, you must perform this task on each machine.
VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 6.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) .

To replace the Machine SSL certificate with the Custom CA certificate:

Launch the VMware vSphere 6.x Certificate Manager:

vCenter Server 6.x Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager

Windows vCenter Server 6.x:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
Note: It is important to be logged in as an administrator or to "Run as Administrator" if user access control is enabled.
Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
Provide the [email protected] password when prompted.
Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
Enter the directory in which you want to save the certificate signing request and the private key.

Note:
- Refer to the below information to enter values for CSR generation.
  - Country : Two uppercase letters only (Eg. US), the country where your company is located.
    Name : FQDN of the vCenter Server(This will be your Certificate Subject Alternate Name)
    Organization : Company Name
    OrgUnit : The name of your department within the organization. Example: "IT"
    State : The state/province where your company is located
    Locality : The city where your company is located.
    IPAddress : IP Address of vCenter Server, this field is Optional
    Email : Email Address
    Hostname : FQDN of vCenter Server(This field accepts multiple entries separated by comma.

For example: VCSA1.vsphere.local,vcsa1,192.168.0.51)
VMCA Name : FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN)

Note: make sure the Primary Network Identifier (PNID) matches the Hostname
- To obtain the PNID please refer to the following commands for appliance and windows respectively:
  - /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  - "C:\Program Files\VMware\vCenter Server\vmafdd\" vmafd-cli.exe get-pnid --server-name localhost
- In vSphere 6.0 Update 3, provide Host Name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
- The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.

Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014) .

Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
Return to the vSphere 6.x Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

Note: If you are using a chain of Intermediate CA and Root CA, see Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571) before proceeding.
Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

Note: If you have one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain for certificate+inter(s)+root.

The machine_name_ssl.cer should be a complete chain file similar to:
-----BEGIN CERTIFICATE-----

MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK

CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD

Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate

SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm

NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI

ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih

4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG

K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq

GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate

/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC

TLqwbQm6tNyFB8c=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG

K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq

GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate

/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC

TLqwbQm6tNyFB8c=

-----END CERTIFICATE-----

For example:

vCenter Server Appliance:

Provide a valid custom certificate for Machine SSL.

File : /tmp/ssl/machine_name_ssl.cer

Provide a valid custom key for Machine SSL.

File : /tmp/ssl/machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.

File : /tmp/ssl/Root64.cer

Windows vCenter Server:

Provide a valid custom certificate for Machine SSL.
File : C:\ssl\machine_name_ssl.cer

Provide a valid custom key for Machine SSL.
File : C:\ssl\machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate.
File : C:\ssl\Root64.cer

Answer Yes (Y) to the confirmation request to proceed.

Notes:

When Certificate Manager prompts for the certificate, Enter the proper value for VMCA Name enter the Root Cert Name (That is Issuer Cert CA Common Name).
This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
If you are running an external Platform Services Controller (deprecated in 6.7.x), you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ
How to use vSphere 6.x Certificate Manager
How to regenerate vSphere 6.x certificates using self-signed VMCA
Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
Certificate Management Overview
Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate
"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Error when uploading files to vCenter Server Appliance using WinSCP
Replacing default certificates with CA signed SSL certificates in vSphere 6.x
Replacing certificates using VMware vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0
Obtaining vSphere certificates from a Microsoft Certificate Authority
vSphere 6.x マシン SSL 証明書をカスタム認証局の署名付き証明書と置き換える