Search the VMware Knowledge Base (KB)
View by Article ID

Configuring the vSphere 6.0 U1 or earlier VMware Certificate Authority as a Subordinate Certificate Authority (2112016)

  • 47 Ratings
Language Editions

Purpose

This article provides steps for configuring the VMware vSphere 6.0 VMware Certificate Authority (VMCA) as a subordinate of an existing Certificate Authority.

A VMCA exists on an embedded vCenter Server 6.0 installation and an external Platform Services Controller.

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).

Notes:
  • This task replaces the VMCA Root Certificate with a custom signing certificate and replaces the MachineSSL and Solution User certificates with new certificates issued by this custom signing certificate.
  • If you are running an external Platform Services Controller, you need to run the vSphere 6.0 Certificate Manager on the external vCenter Server 6.0 and perform these tasks:
    • Replace Machine SSL certificate with VMCA Certificate
    • Replace Solution user certificates with VMCA certificates
  • If you have multiple Platform Services Controllers, you need to perform the preceding tasks on all Platform Services Controllers if you need to have trusted certificates for all vCenter Server 6.0 installations.
  • In some cases it may be required to distribute the Intermediate-CA certificate through the domain for the vSphere Client to automatically trust the certificates created for ESXi hosts.
  • When configuring certificates in a HA environment behind a load balancer perform the below steps on each PSC ignoring the load balance.

Caution

To configure the vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority:

vSphere 6.0 with VMCA as an Intermediate CA and external Platform Service Controller

  1. Launch the vSphere 6.0 Certificate Manager by using:

      Platform Service Controller Appliance – /usr/lib/vmware-vmca/bin/certificate-manager

      Windows Platform Service Controller – C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

    1. Select Option 2 (Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
    2. Provide the administrator@vsphere.local password when prompted.
    3. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
    4. Provide a directory to save the certificate signing request and private key to.

      Note: The files created will have the names root_signing_cert.csr and root_signing_cert.key

    5. Provide the root_signing_cert.csr to your Certificate Authority to generate a Subordinate Signing Certificate, name the file root_signing_cert.cer.

      Note: To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).

    6. Using a plain text editor, create a full chain of root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into the text file.

      For example,
      -----BEGIN CERTIFICATE-----
      MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
      CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
      Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
      SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
      NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
      ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
      4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
      K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
      GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
      /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
      TLqwbQm6tNyFB8c=
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
      K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
      GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
      /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
      TLqwbQm6tNyFB8c=
      -----END CERTIFICATE-----

      Where the first certificate is the contents of root_signing_cert, next is any Intermediate Certificates, and last is the Root Certificate.

    7. Save this file as root_signing_chain.cer.
    8. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
    9. Provide the full path to the root_signing_chain.cer and root_signing_cert.key.

      For example:

      Platform Service Controller Appliance:

      Please provide valid custom certificate for Root.
      File : /tmp/ssl/root_signing_chain.cer

      Please provide valid custom key for Root.
      File : /tmp/ssl/root_signing_cert.key


      Windows Platform Service Controller:

      Please provide valid custom certificate for Root.
      File : C:\ssl\root_signing_chain.cer

      Please provide valid custom key for Root.
      File : C:\ssl\root_signing_cert.key

    10. Answer Yes (Y) to the confirmation request to proceed.
    11. If this is the first time, custom certificates are implemented on this system, you will be asked to configure the certool.cfg. On subsequent tasks, you will be offered to re-use these values.

      Note: These values are used to define certificates issued by VMCA.

    12. Enter the values for these as prompted by the VMCA:

      Please configure certool.cfg file with proper values before proceeding to next step.
      Press Enter key to skip optional parameters or use Default value.
      Enter proper value for 'Country' [Default value : US] :
      Enter proper value for 'Name' [Default value : Acme] :
      Enter proper value for 'Organization' [Default value : AcmeOrg] :
      Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
      Enter proper value for 'State' [Default value : California] :
      Enter proper value for 'Locality' [Default value : Palo Alto] :
      Enter proper value for 'IPAddress' [optional] :
      Enter proper value for 'Email' [Default value : email@acme.com] :
      Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :

    vSphere 6.0 with VMCA as an Intermediate CA and embedded Platform Service Controller

    1. Launch the vSphere 6.0 Certificate Manager using:

        vCenter Server Appliance:

        /usr/lib/vmware-vmca/bin/certificate-manager

        Windows vCenter Server:

        C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

      1. Select Option 2 (Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
      2. Provide the administrator@vsphere.local password when prompted.
      3. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
      4. Provide a directory to save the certificate signing request and private key to.

        Note: The files created will have the names root_signing_cert.csr and root_signing_cert.key

      5. Provide the root_signing_cert.csr to your Certificate Authority to generate a Subordinate Signing Certificate, name the file root_signing_cert.cer.

        Note: To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).

      6. Using a plain text editor, create a full chain of root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into the text file.

        For example:

        -----BEGIN CERTIFICATE-----
        MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
        CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
        Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
        SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
        NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
        ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
        4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
        K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
        GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
        /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
        TLqwbQm6tNyFB8c=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
        K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
        GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr
        /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
        TLqwbQm6tNyFB8c=
        -----END CERTIFICATE-----

        Where the first certificate is the contents of root_signing_cert, next is any Intermediate Certificates, and last is the Root Certificate.
      7. Save this file as root_signing_chain.cer.
      8. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
      9. Provide the full path to the root_signing_chain.cer and root_signing_cert.key.

        For example:

        vCenter Server Appliance:

        Please provide valid custom certificate for Root.
        File : /tmp/ssl/root_signing_chain.cer

        Please provide valid custom key for Root.
        File : /tmp/ssl/root_signing_cert.key


        Windows vCenter Server:

        Please provide valid custom certificate for Root.
        File : C:\ssl\root_signing_chain.cer

        Please provide valid custom key for Root.
        File : C:\ssl\root_signing_cert.key

      10. Answer Yes (Y) to the confirmation request to proceed.
      11. If this is the first time, custom certificates are implemented on this system, you will be asked to configure the certool.cfg. On subsequent tasks, you will be offered to re-use these values.

        Note: These values are used to define certificates issued by VMCA.

      12. Enter the values for these as prompted by the VMCA:

        Please configure certool.cfg file with proper values before proceeding to next step.
        Press Enter key to skip optional parameters or use Default value.
        Enter proper value for 'Country' [Default value : US] :
        Enter proper value for 'Name' [Default value : Acme] :
        Enter proper value for 'Organization' [Default value : AcmeOrg] :
        Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
        Enter proper value for 'State' [Default value : California] :
        Enter proper value for 'Locality' [Default value : Palo Alto] :
        Enter proper value for 'IPAddress' [optional] :
        Enter proper value for 'Email' [Default value : email@acme.com] :
        Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :

      See Also

      Request a Product Feature

      To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

      Feedback

      • 47 Ratings

      Did this article help you?
      This article resolved my issue.
      This article did not resolve my issue.
      This article helped but additional information was required to resolve my issue.

      What can we do to improve this information? (4000 or fewer characters)




      Please enter the Captcha code before clicking Submit.
      • 47 Ratings
      Actions
      KB: