Search the VMware Knowledge Base (KB)
View by Article ID

How to replace the vSphere 6.0 Solution User certs with CA signed certs (2112278)

  • 3 Ratings
Language Editions

Purpose

This article explains how to replace the vSphere 6.0 Solution User certificate with a custom Certificate Authority (CA) signed certificates.

Notes:
  • The vSphere 6.0 Solution Users use SSL Certificates for internal communication and endpoint registration.
  • If you have a vCenter Server with an embedded Platform Services Controller (PSC), there are four Solution User Certificates:

    • machine
    • vpxd
    • vpxd-extension
    • vsphere-webclient

  • If you have vCenter Server with an external Platform Services Controller, each vCenter Server 6.0 has four Solution User Certificates as mentioned previously and each external Platform Services Controller has one Solution User named machine.

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).
 
Important:
  • These certificates are not issued by VMCA. They are issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller, you must restart the services on the external vCenter Server 6.0 and then proceed with replacing the Solution User Certificates of the vCenter Server 6.0.
To replace vSphere 6.0 Solution Users with custom CA signed certificates:
  1. Launch the vSphere 6.0 Certificate Manager:

    vCenter Server 6.0 Appliance:

    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows vCenter Server 6.0:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 5 (Replace Solution user certificates with Custom Certificates).

  3. Type the administrator@vsphere.local password when prompted.

  4. Select Option 1(Generate Certificate Signing Request(s) and Key(s) for Solution User certificates).

  5. Select a directory to save the certificate signing requests and private keys.

    Note
    : The files created have these names. An external PSC only generates:

    • machine.csr
    • machine.key

  6. Provide the preceding CSRs to your Certificate Authority to generate a Solution User Certificate and name the files machine_name.cer, vpxd.cer, vpxd-extension.cer, vsphere-webclient.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Notes:

  7. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Solution User Certificates).

  8. Provide the full path to each of these Certificates and Keys from Step 5 including the issuing CA certificate, Root64.cer.

    • machine.cer
    • machine.key
    • vpxd.cer
    • vpxd.key
    • vpxd-extension.cer
    • vpxd-extension.key
    • vsphere-webclient.cer
    • vsphere-webclient.key
    • Root64.cer

    Note: If you are using a chain of Intermediate CA and Root CA, see the Knowledge Base article  Replacing certificates using vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback (2111571).

    Example for vCenter Server Appliance:

    Please provide valid custom certificate for solution user store : name
    File : /tmp/ssl/name.cer
    Please provide valid custom key for solution user store : name
    File : /tmp/ssl/name.key

    Where, <name> is one of the certificate mentioned in step 8.

    Example for Windows vCenter Server:

    Please provide valid custom certificate for solution user store : name
    File : C:\ssl\name.cer
    Please provide valid custom key for solution user store : name
    File : C:\ssl\name.key

    Notes:

    • An external Platform Services Controller has only one Solution User Certificate to replace.
    • For vSphere 6.0 Update 1 and later, there are 2 additional certificates for the VAMI interface. These certificates are:

      vsphere-webclient.csr
      vsphere-webclient.key

  9. Type Yes (Y) to the confirmation request to proceed.
  10. Update the ESX Agent Manager.

    Note: If the update fails, see the Knowledge Base article After replacing the vCenter Server certificates in vSphere 6.0, the ESX Agent Manager solution user fails to log in (2112577) to resolve the issue.

Tags

replacing vSphere 6.0 solution user cert, custom CA cert

See Also

Update History

05/17/2016 - Updated Resolution section

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 3 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 3 Ratings
Actions
KB: