Search the VMware Knowledge Base (KB)
View by Article ID

Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority (2147542)

  • 3 Ratings
Language Editions

Purpose

This article explains how to configure the vSphere 6.0 U1b or later VMware Certificate Authority (VMCA) as a subordinate of an existing Certificate Authority.

A VMCA exists on an embedded vCenter Server 6.0 installation and an external Platform Services Controller.

Resolution

If you have not yet configured your Microsoft Certificate Authority, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009).

Notes:
  • This task replaces the VMCA Root Certificate with a custom signing certificate and then will replace the Machine SSL certificate and Solution User certificates with certificates issued by this custom signing certificate.
  • If you have multiple Platform Services Controllers, you need to perform the preceding tasks on all Platform Services Controllers if you need to have trusted certificates for all vCenter Server 6.0 installations.
  • In some cases it may be required to distribute the Intermediate-CA certificate through the domain for the vSphere Client to automatically trust the certificates created for ESXi hosts.
  • When configuring certificates in a HA environment behind a load balancer perform the below steps on each Platform Services Controller ignoring the load balancer.
Caution
vSphere 6.0 U1b or later with VMCA as an Intermediate CA 
  1. Launch the vSphere 6.0 Certificate Manager using:

    Platform Service Controller Appliance:

    /usr/lib/vmware-vmca/bin/certificate-manager

    Windows Platform Service Controller:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 2 (Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates).

  3. A prompt with "Do you wish to generate all certificates using configuration file" will appear.  This prompt refers to selecting certificate parameters for the Solution Users in step 5.  It is recommended to select yes as the defaults can cause a known issue.  See Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails (2144086) for more details.

  4. Provide the administrator@vsphere.local password when prompted.

    A prompt with MACHINE_SSL_CERT.cfg file exists, Do you wish to reconfigure : Option[Y/N] will appear.  If yes is selected, the below certificate parameters can be selected:

    Note: For vCenter Server 6.0 Update 1b or later unique names will need to be created for each Solution User, for more information, see Updating certificates using certificate manager on vCenter Server or PSC 6.0 Update 1b fails (2144086).

    Caution: The 'Name' value must be unique for each Solution User in the SSO domain.  For example, use machine_FQDN for the machine.cfg configuration file.

    Please configure certool.cfg file with proper values before proceeding to next step.
    Press Enter key to skip optional parameters or use Default value.
    Enter proper value for 'Country' [Default value : US] :
    Enter proper value for 'Name' [Default value : Acme] :
    Enter proper value for 'Organization' [Default value : AcmeOrg] :
    Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
    Enter proper value for 'State' [Default value : California] :
    Enter proper value for 'Locality' [Default value : Palo Alto] :
    Enter proper value for 'IPAddress' [optional] :
    Enter proper value for 'Email' [Default value : email@acme.com] :
    Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :


    Note
    : The machine.cfg and vsphere-webclient.cfg will be prompted to reconfigure after the MACHINE_SSL_CRT.cfg if Y was answered in step 3.

  5. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate).

  6. Provide a directory to save the certificate signing request and private key to.

    Note: The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.

    A prompt with certool.cfg file exists, Do you wish to reconfigure? will appear. This file determines the certificate parameters for the VMCA root certificate.

  7. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Subordinate Signing Certificate, name the file root_signing_cert.cer.  For more information see Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    Note: To allow WinSCP connections to a vCenter Server 6.0 Appliance, see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).

  8. Using a plain text editor, create a full chain with root_signing_cert.cer, by copying the content of the Intermediate(s) CA certs and Root CA cert into a text file.  For more information on how to obtain the Intermediate(s) CA certs and Root CA cert see step 12 of Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014).

    In this example, the first certificate is the contents of root_signing_cert.cer, next is any Intermediate Certificates, and last is the Root Certificate.

    -----BEGIN CERTIFICATE-----
    MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
    CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
    Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa
    SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
    NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
    ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih  <-----root_signing_cert.cer
    4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr  <-----Intermediate Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
    K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
    GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr  <-----Root Certificate
    /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
    TLqwbQm6tNyFB8c=
    -----END CERTIFICATE-----


  9. Save this file as root_signing_chain.cer.

  10. Return to the vSphere 6.0 Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).

  11. Provide the full path to the root_signing_chain.cer and vmca_issued_key.key.

    For example:

    Platform Service Controller Appliance:

    Please provide valid custom certificate for Root.
    File : /tmp/ssl/root_signing_chain.cer

    Please provide valid custom key for Root.
    File : /tmp/ssl/vmca_issued_key.key


    Windows Platform Service Controller:

    Please provide valid custom certificate for Root.
    File : C:\ssl\root_signing_chain.cer

    Please provide valid custom key for Root.
    File : C:\ssl\vmca_issued_key.key

  12. Answer Yes (Y) to the confirmation request to proceed.

  13. Restart all services on any external vCenter Server nodes pointing to this Platform Services Controller.  For more information on how to restart vCenter Server services see Stopping, starting, or restarting VMware vCenter Server 6.x services (2109881) or Stopping, starting, or restarting VMware vCenter Server Appliance 6.0 services (2109887).
Note:

See Also

Language Editions

ja,2149160;zh_cn,2149229

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 3 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 3 Ratings
Actions
KB: