Search the VMware Knowledge Base (KB)
View by Article ID

在 vSphere 6.0 中使用 CA 签名的 SSL 证书替换默认证书 (2134740)

  • 0 Ratings

Symptoms

免责声明:本文为 Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219) 的翻译版本。尽管我们会不断努力为本文提供最佳翻译版本,但本地化的内容可能会过时。有关最新内容,请参见英文版本。

Purpose

本文提供了在 vSphere 6.0 环境中实施证书颁发机构 (CA) 签名的 SSL 证书的相关信息。VMware 已经预封装了 vSphere Certificate Manager 实用程序,用于自动完成此替换过程。有关详细信息,请在继续下一步前参见以下文章:
注意:本文只适用于 vSphere 6.0。有关早期版本,请使用以下链接:

Resolution

VMware 已通过实施 VMware 证书颁发机构 (VMCA) 和 VMware 端点证书存储 (VECS) 显著降低了复杂性。有关 VMCA 和 VECS 的详细信息,请参见以下文章:
本文提供了相关文档链接,这些文档可指导用户如何在环境中的 vSphere 组件上配置证书。本文还假设所有组件都已安装,并且这些组件当前正在与 VMware 签名或第三方 CA 签名的证书一起运行。

注意:VMware 不支持使用通配符证书。

请确保验证此处给出的每个步骤。每个步骤均提供相关说明或文档链接,用于提供在环境中配置证书的相关信息。

核心 vSphere 组件

vSphere Certificate Manager 实用程序可提供所有工作流以在 vCenter Server 和 Platform Services Controller 上替换或重新生成计算机 SSL 证书、解决方案用户证书和 VMCA 根签名证书。有关详细信息,请参见 Understanding and using vSphere 6.0 Certificate Manager (2097936)

随着此版本的发布,VMware 为客户提供了两种方式来实施第三方 CA 签名证书。客户可以选择使用 Platform Services Controller 的 VMCA,然后将其替换为自有私有密钥基础架构 (Private Key Infrastructure, PKI) 的签名证书,以便将这类签名证书用作 vSphere 环境中的从属 CA。客户也可以选择不使用 VMCA,只将其替换为自有 PKI 的证书。

更换证书而不使用 Platform Services Controller 的 VMCA

有关详细信息,请参见:

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)
  2. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  3. Replacing a vSphere 6.0 Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
  4. Replacing the vSphere 6.0 Solution Users certificates with a Custom Certificate Authority signed certificates (2112278)
  5. After replacing the vCenter Server certificates in VMware vSphere 6.0, the ESX Agent Manager solution user fails to log in (2112577)
  6. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)

将 Platform Services Controller 的 VMCA 更换为证书颁发机构从属证书

有关详细信息,请参见:

  1. Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)
  2. Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016)
  3. Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
  4. Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)
  5. Replacing the vSphere 6.0 Solution User certificates with VMware Certificate Authority issued certificates (2112281)
  6. After replacing the VMware vCenter Server certificates in VMware vSphere 6.0, the VMware vSphere Auto Deploy solution user fails to log in (2123631)
  7. vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
  8. Adding a VMware vSphere ESXi host to VMware vCenter Server 6.0 fails with the error:Signed certificate could not be retrieved due to a start time error (2123386)
注意:替换 Platform Services Controller 上的 SSL 证书后,安装 vCenter Server 期间还会继续报告 VMware 签名的证书。这是预期行为。有关详细信息,请参见 Installing or upgrading vCenter Server 6.0 using an external Platform Service Controller prompts the user to accept the Platform Services Controller Certificate (2111574)

重新生成 Platform Services Controller 的 VMCA发布的证书

有关详细信息,请参见:


外围 vSphere 组件

Additional Information

有关详细信息,请参见 vSphere Security guide for vSphere 6.0 中的“使用 vSphere Certificate Manager 实用程序”部分及以下文章:

客户如需清除 vSphere 6.0 环境中的浏览器警告,但又希望放弃替换其证书,请参见 How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294)

Tags

vcenter  6 证书, 迁移到外部 SSO 时出现的错误,安装证书问题,SSO 帐户没有访问权限。
 
简体中文 Simplified Chinese

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: