Search the VMware Knowledge Base (KB)
View by Article ID

How to use vSphere 6.x Certificate Manager (2097936)

  • 43 Ratings
Language Editions

Purpose

This article explain when and how to use vSphere 6.x Certificate Manager.

The vSphere 6.x Certificate Manager can be utilized to:
  1. Implement Default Certificates (use Option 4)

    • This option can be used when you do not plan on implementing custom CA Certificates signed by either an in-house CA (Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, and so on). 
    • In this environment, the vSphere certificates are generated and issued by the VMCA and stored by the vSphere Endpoint Certificate Store (VECS). 
    • These certificate are not trusted by default.

  2. Replace VMCA Certificate with a custom CA Certificate (use Option 2)


    • In this environment, you will replace the default VMCA Certificate and Key with a custom CA Certificate and Key from either an in-house CA (Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, and so on).
    • The VMCA will then be used to generate new vSphere certificates that will be signed by the previously imported custom CA Certificate and Key.
    • These certificates issued by the VMCA will be trusted.

  3. Replace the all vSphere Certificates and Keys with custom CA Certificates and Keys (use Option 5)


    • In this environment, you will replace the Machine Certificate and all Solution User Certificates with custom CA Certificates signed by either an in-house CA (Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, and so on).
    • The VMCA is not responsible for issuing the certificates.
       

Resolution

Note :  It is important to be logged in as an administrator or to "Run as Administrator" if user access control is enabled
 
To launch the vSphere 6.x Certificate Manager, run this command using the command prompt:
  • Windows vCenter Server:  C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  • vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
When you run the certificate-manager command, you are presented with the 8 options as shown in the screenshot.

  1. Replace the Machine SSL certificate with a Custom CA Certificate

    Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.

    Required Information:

    • administrator@vsphere.local password.
    • Path to a custom Certificate and Key for the Machine Certificate.
    • Path to a custom Certificate for the VMCA Root

  2. Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates

    Provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate.

    Required Information:

    • administrator@vsphere.local password
    • Configure the certool.cfg file(used by VMCA when generating certificates)
    • Root Signing Cert
    • Root Signing Key
Optional Information:
  • Do you wish to replace all Solution User certificates with custom CA?

    • YES: Paths to the custom Certificates and Keys for the Solution Users (vpxd, vpxd-extension, vsphere-webclient, machine).
      Note: You can also perform this step later using Option 5.
    • NO: VMCA will generate new Certificates/Keys for Solution Users using the provided Custom CA Signing Certificate.
      Note: You can also perform this step later using Option 6.

  • Do you wish to replace Machine SSL Certificate with custom CA?

    • YES: Path to a custom Certificate and Key for the Machine Certificate.
      Note: You can also perform this step later using Option 1.
    • NO: VMCA will generate new Certificate/Key for Machine using the provided Custom CA Signing Certificate.
      Note: You can also perform this step later using Option 3.
  1. Replace the Machine SSL certificate with a VMCA Generated Certificate

    Required Information:

    • administrator@vsphere.local password
    • Configure the certool.cfg file (used by VMCA when generating certificates)

  2. Regenerate a new default VMCA Root Certificate and Replace all Certificates

    Required Information:

    • administrator@vsphere.local password
    • Configure the certool.cfg file (used by VMCA when generating certificates)

  3. Replace the Solution User Certificates with Custom CA Certificates

    Required Information:

    • administrator@vsphere.local password
    • Path to the custom Root CA Certificate
    • Path to the custom Certificate and Key for vpxd Solution User
    • Path to the custom Certificate and Key for vpxd-extension Solution User
    • Path to the custom Certificate and Key for vSphere-webclient Solution User
    • Path to the custom Certificate and Key for machine Solution User

  4. Replace the Machine SSL Certificate and Solution User Certificates with VMCA generated Certificates

    Required Information:

    administrator@vsphere.local password

  5. Revert last performed operation by re-publishing old certificates

  6. Reset all certificates

    Required Information:

    • administrator@vsphere.local password
    • Configure the certool.cfg file (used by VMCA when generating certificates)

Additional Information

For more information on implementing CA signed certificates, see Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219).

Note: Currently, vCenter Server 6.x integrates only with VMCA. The vSphere 6.x Certificate Manager and VMCA cannot be used to issue certificates to any other products.

Log file locations:

  • The vSphere 6.x Certificate Manager stores a certificate-manager.log file in these locations:

    • Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
    • vCenter Server Appliance 6.x: /var/log/vmware/vmcad/certificate-manager.log

  • The  certool.cfg file is located at:

    C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg

  • Configuration file locations in vCenter Server Appliance and Platform Service Controler Appliance:

    • vCenter Server Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg
    • Platform Service Controller Appliance:  /usr/lib/vmware-vmca/share/config/certool.cfg

 

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 43 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 43 Ratings
Actions
KB: