Search the VMware Knowledge Base (KB)
View by Article ID

Replacing default certificates with CA signed SSL certificates in vSphere 6.x (2111219)

  • 90 Ratings
Language Editions

Purpose

This article provides information on implementing Certificate Authority (CA) signed SSL certificates in a vSphere 6.x environment. VMware has pre-packaged the vSphere Certificate Manager utility to automate the replacement process. For more information, see these articles before proceeding:
Note: This article is specifically for vSphere 6.0. For earlier versions, use these links:

Resolution

VMware has greatly reduced the complexity by implementing the VMware Certificate Authority (VMCA) and the VMware Endpoint Certificate Store (VECS). For more information about the VMCA and VECS, see these articles:
This article provides documentation links to provide guidance on configuring certificates on vSphere components in an environment. This article also assumes that all components are installed and running currently with VMware-signed or third party CA-signed certificates.

Note: VMware does not support the use of wildcard certificates.

Ensure that you validate each step given here. Each step provides instructions or a link to a document that provides information on configuring the certificates in your environment.

Core vSphere components

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller. For more information, see Understanding and using vSphere 6.x Certificate Manager (2097936).

With this release, VMware has provided customers with 2 ways to implement third-party CA-signed certificates. Customers may choose to utilize VMCA of the Platform Services Controller and replace it with a signing certificate from their own Private Key Infrastructure (PKI) to allow it to act as a subordinate CA for their vSphere environment. Customers may also choose to not use the VMCA, and to simply replace their certificates from their own PKI.

Replacing Certificates without using VMCA of the Platform Services Controller

For more information, see:

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
  2. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  3. Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
  4. Replacing the vSphere 6.x Solution Users certificates with a Custom Certificate Authority signed certificates (2112278)
  5. After replacing the vCenter Server certificates in VMware vSphere 6.x, the ESX Agent Manager solution user fails to log in (2112577)
  6. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)

Replacing VMCA of the Platform Services Controller with a Subordinate Certificate Authority Certificate

For more information, see:

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
  2. Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority (2147542)
  3. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  4. Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)
  5. Replacing the vSphere 6.x Solution User certificates with VMware Certificate Authority issued certificates (2112281)
  6. After replacing the VMware vCenter Server certificates in VMware vSphere 6.x, the VMware vSphere Auto Deploy solution user fails to log in (2123631)
  7. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
  8. Adding a VMware vSphere ESXi host to VMware vCenter Server 6.x fails with the error: Signed certificate could not be retrieved due to a start time error (2123386)
Note: After replacing the SSL certificates on the Platform Services Controller, during the installation of vCenter Server, this continues to report VMware-signed certificates. This is an expected behavior. For more information, see Installing or upgrading vCenter Server 6.x using an external Platform Service Controller prompts the user to accept the Platform Services Controller Certificate (2111574).

Regenerate certificates issues by VMCA of the Platform Services Controller

For more information, see:


Peripheral vSphere components

Replace the vSphere Update Manager Certificates. For more information, see Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)

Additional Information

For more information, see Using the vSphere Certificate Manager Utility section in the vSphere Security guide for vSphere 6.0 and these articles:

  • Replace Machine SSL Certificate with Custom Certificate section in the vSphere Security guide
  • Replace Solution User Certificates with Custom Certificates section in the vSphere Security guide
  • Certificate Replacement in Large Deployments section in the vSphere Security guide
  • Managing Certificate Revocation section in the vSphere Security guide
For customers seeking to clear the browser warning within their vSphere 6.0 environment, but want to forgo replacing their certificates, see How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294).

Tags

certificate replacement, vcenter server 6.0, sso 6.0, psc 6.0, certs, ssl, vcenter 6 certificate,Errors when migrating to external SSO, Installing certificates issue, SSO account does not have access

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 90 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 90 Ratings
Actions
KB: