Search the VMware Knowledge Base (KB)
View by Article ID

Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)

  • 71 Ratings
Language Editions

Purpose

This article explains how to replace a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority (CA) Signed Certificate:

Notes
  • If you have a vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
  • If you have a vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, you must perform this task on each machine.

Resolution







If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).

To replace the Machine SSL certificate with the Custom CA certificate:
  1. Launch the vSphere 6.x Certificate Manager:

    vCenter Server 6.x Appliance:

    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.x:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate)

  3. Provide the administrator@vsphere.local password when prompted.

  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate)

  5. Enter the directory in which you want to save the certificate signing request and the private key

    Note:
    • In vSphere 6.0 Update 3 Provide Host Name with proper case sensitivity as per the previous Machine_SSL certificate while generating CSR.
    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
    • In vSphere 6.0 Update 3, 6.5, and later this prompt will also appear:

      Enter proper value for VMCA 'Name' :

      This can be the FQDN of the machine the certificate configuration is running on.


  6. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Note: For more information on allowing WinSCP connections to a vCenter Server 6.x Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).

  7. Return to the vSphere 6.x Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

    Note
    : If you are using a chain of Intermediate CA and Root CA, see Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571) before proceeding.

  8. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

    Note: If you have one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates.The "machine_name_ssl.cer" should be a full chain for certificate+inter(s)+root.

    The machine_name_ssl.cer should be a complete chain file similar to:


    -----BEGIN CERTIFICATE-----
    MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
    CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
    Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
    SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
    NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
    ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
    4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----

    For example:

    vCenter Server Appliance:

    Please provide valid custom certificate for Machine SSL.
    File : /tmp/ssl/machine_name_ssl.cer

    Please provide valid custom key for Machine SSL.
    File : /tmp/ssl/machine_name_ssl.key

    Please provide the signing certificate of the Machine SSL certificate
    File : /tmp/ssl/Root64.cer

    Windows vCenter Server:

    Please provide valid custom certificate for Machine SSL.
    File : C:\ssl\machine_name_ssl.cer

    Please provide valid custom key for Machine SSL.
    File : C:\ssl\machine_name_ssl.key

    Please provide the signing certificate of the Machine SSL certificate
    File : C:\ssl\Root64.cer

  9. Answer Yes (Y) to the confirmation request to proceed.

    Notes
    :
  • When Cert Manager prompts for VMCA Name enter the Root Cert Name ( that is Issuer Cert CA Common Name).
  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller, you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 71 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 71 Ratings
Actions
KB: