5. How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

How to replace default vCenter VMCA certificate with Microsoft CA signed certificate


  • VMCA (VMware Certificate Authority) is a one of the components in PSC (Platform services controller) inbuilt into vCenter server 6.x. VMCA is Certificate Authority and works as same as Microsoft CA certificate. It can issue certificates to VMware components i.e. vCenter, ESXi servers. In my previous blog How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi, I have shown using existing default VMCA root certificate and how to trust it in your organization using group policy or manually. which doesn't require much efforts.

    Your internal Information Security team might wants you to replace default certificate with custom certificate on vCenter appliance (vcsa) provided by your in house Certificate Authority custom certificate or 3rd party trusted SSL certificate. I have already my Microsoft RootCA PKI infrastructure configured in my environment. 

    I keep PSC role on same server as vCenter appliance keeping future deployment and changes in mind as per this article https://blogs.vmware.com/vsphere/2018/11/external-platform-services-controller-a-thing-of-the-past.html. To proceed with first step create new certificate template for VCSA on Microsoft certificate authority server is create, I have followed the same steps from vmware video on https://www.youtube.com/watch?v=epxR5Ow4QtU. Open Run and type certtmpl.msc,  press ok.

    Generate new self-signed certificates for ESXi using OpenSSL
    Push SSL certificates to client computers using Group Policy
    Replacing a default ESXi certificate with a CA-Signed certificate
    Troubleshooting replacing a corrupted certificate on Esxi server
    How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
    How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

    vmware vsphere vcenter server appliance vcsa esxi certtmpl.msc certificate templates root ca, subordinate ca certificate authority replace import ssl cert template.png

    If you are seeing error Certificate Template: Windows could not create the object identifier list. The specified domain either does not exist or could not be contacted. Certificate templates are not available. Right click Certificate templates and press Connect to another writable domain controller, choose a Default writable domain controller, then hit Ok.

    vmware vsphere vcenter appliance server esxi certificate template console mmc writable domain controller active directory view object identifiers, ssl certificate microsoft certificate authority vmca.png

    From the Template Display Names find Web Server, right click it, choose Duplicate Template. On the properties go to compatibility tab, on the Compatibility Settings choose certificate authority as Windows Server 2008 (Version 3 Certificate), if you need more secure and encryption level higher on your cert choose higher version of OS from the list. For backward compatibility choose lower OS version.

    Next on General tab give a template display name.

    vmware vsphere vcenter vmca certificate authority psc platform services controller web server certificate duplicate template comaptibility esxi certificate recipient, active directory root ca subordinate.png

    On the Extensions tab select Application policies, click Edit and remove Server Authentication.

    vmware vsphere vcenter appliance vcsa certificate template application policies extensions server authentication remove root ca subordinate certificate authority key usage basic constraints.png

    Next Go to Key Usage, click check on Signature is a proof of origin (nonrepudiation) and in the last select Subject Name tab, make sure Supply in the request is selected and click Apply - OK. New Certificate template will show in the list now.

    vmware vsphere vcenter server appliance vcsa vmca psc sso certificate authority key usage digital signature nonrepudiation extension replace vmca ssl self signed ceritificate.png

    Open Server Manager, go to Tools choose Certificate Authority. On the Certificate Templates right click, go to New >> Certificate Template to Issue. Select earlier created certificate to enable in Certificate Authority by clicking OK.

    vmware vsphere vcenter appliance vcsa vmca certificate authority server manager root ca enable certificate template web server import ssl certificate generate ssl openssl.png

    Tasks on CA server are completed, For next tasks I will login to VCSA (VMWare vSphere vCenter server Appliance) using ssh tool putty. After login launch BASH on command prompt by typing shell, this Shell access is granted to root permissions.

    putty vcsa vmware vcenter server appliance embedded platform services controller bash shell api vmca psc login certificate authority root ca subordinate ca microsoft domain certificate services certsrv.png

    I need SCP to work on VCSA, by running chsh -s  /bin/bash root will allow winscp tool to login.

    vmware vsphere vcenter server appliance vcsa putty bash shell chsh bin bash root change shell command vmca psc platform services controller certificate authority intermidiate root ca.png

    Run command /usr/lib/vmware-vmca/bin/certificate-manager and select operation Replace Machine SSL certificate with Custom Certificate by typing 1, Provide valid SSO and VC privileged user credential to perform certificate operations. Once successfully authentication happens, select option Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate by typing 1. This launches certool tool to generate key and csr.

    vmware vsphere vcenter appliance vcsa vmca usr lib vmware-vmca bin certificate-manager replace machine ssll certificate with custom certificate generate certificate signing request and key.png

    On the CSR and Private Key generation option provide info as below which configures and creates certool.cfg.

    Provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /tmp/
    Enter proper value for 'Country' [Default value : US] (must be 2 character value only) : IN
    Enter proper value for 'Name' [Default value : CA] (VCSA-CA or FQDN) : vcsa.vcloud-lab.com
    Enter proper value for 'Orgnaization' [Default value : VMware] : vcloud-lab.com
    Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : IT Architects
    Enter proper value for 'State' [Default value : California] : MH
    Enter proper value for 'Locality' [Default value : Palo Alto] : Pune
    Enter proper value for 'IP Address' (Provide comma seperated values for multiple IP addresses) [optional] :  192.168.34.15, 192.168.34.20
    Enter proper value for 'Email' [Default value :  [email protected]] :  [email protected]
    Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa, vcsa.vcloud-lab.com
    Enter proper value for VMCA 'Name' : vcsa.vcloud-lab.com

    In the background it uses certool to generate vmca_issued_csr.csr and vmca_issued_key.key under provided folder location /tmp/.

    Type 2 to Exit Certificate-Manager.

    vmware vsphere vcenter appliance importing custon certificate and key for machine SSL certificate vmca_issued_csa.csr vmca_issued_key.key csr certtool.cfg certtool vmware-vmca bin gencsr privkey pubkey.png

    Download newly generated file from VCSA using winscp tool. Files are vmca_issued_key.key and vmca_issued_csr.csr from /tmp. folder.

    vmware vsphere vcenter appliance vcsa winscp scp ftp sftp certificate manager vmca import export vmca_issued_key.key and vmca_issued_csr.csr ca root authority root certificate csr.png

    On the Microsoft Active Directory Certificate Services http://certsrv web site, click Request a certificate.

    vmware vsphere vcenter server appliance esxi vcsa vmca root ca certsrv request a certificate web browser active directory certificate services certificate authority ca revocation lis crl.png

    Choose and click submit an advanced certificate request.

    vmware vsphere vcenter appliance service micrsofot active directory certificate services rootca user certificate submit an advanced certificate request request a certificate certsrv certrqus.asp vmca vcsa.png

    Open vmca_issued_csr.csr in notepad, copy all the content from begin to end and copy to Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) text box. On the certificate template select earlier created template VCSA and press submit button.

    vmware vsphere vcenter server appliance server microsoft active directory certificate services certsrv submit a certificate request or renewal request saved request template base64 encoded.png

    Certificate is issued now, choose Base 64 encoded and download certificate (certnew.cer) and download certificate chain package (certnew.p7b).

    microsoft active directory certificate services certificate issued der encoded base 64 encoded download certificate chain p7b certsrv vmware vsphere vcenter appliance vcsa vmca certificate authority.png

    Downloaded certnew.p7b can not be used directly on VCSA to import. It contains Root CA certificate which I will export to .CER extension by opening it, select Root CA certificate, right click All Tasks and Export. This launches Certificate Export Wizard, Select Base-64 encoded x.509 (.CER) version, press next. From browser select directory location and give it meaning full name as rootca.cer to save certificate as .cer extension.

    vmware vsphere vcenter appliance server vcsa certificate export wizard base-65 encoded x.509 (.CER) save as p7b vmware certificate authority psc vmca import certificate openssl generate ssl.png

    Review settings on last page and click Finish, it should show message The export was successful.

    vmware vsphere vcenter appliance certificate authority vcsa vmca certificate export wizard completing the certificate export wizard .cer microsoft rootca intermidiate subordinate ca certificate authority.png

    Upload certnew.cer and rootca.cer to VCSA using winSCP tool.

    winscp scp vmware vsphere vcenter appliance vcsa server vmca vmware certificate authority certnew.cer p7b configure ssl certificate vcenter esxi server key csr files vmca_issued_csr, vmca_issued_key.png

    On VCSA use command /user/lib/vmware-vcsa/bin/certificate-manager. Select option 1. Replace Machine SSL certificate with Custom Certificate, provide admin username and password. Select next option 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate by typing digit 2

    vcsa vmware certificate authority vmca vsphere replace machine ssl certificate with custom certificate certificate manager Import custom certificate key and csr cer ssl.png

    Provide certificate file paths as below

    Custom certificate for Machine SSL File:  /tmp/certnew.cer 
    Custom key for Machine SSL File: /tmp/vmca_issued_key.key
    The signing certificate of the Machine SSL certificate File: /tmp/rootca.cer

    Press Y to continue replacing Machine SSL cert using custom cert. It will take some time for deployment, If everything is good and OK, there will be message in the last.
    Updated 32 service(s)
    Status : 100% Completed [All tasks completed successfully]

    If you provide incorrect certificate while deployment you will see error similar to depth lookup:certificate.

    vmware vsphere vcenter appliance server vcsa import custom certificate and key to replace existing machine ssl certificate microsoft root ca certificate services authority.png

    After launching VCSA url in browser, below are the changes before upgrade and after upgrade. To trust the root certificate you can add the it to Trusted root certification authorities as shown in my earlier article How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi.

    vmware vsphere esxi vcneter appliance server vsphere 6.7 certificate manager vmware certificate authority rootca-ca replace custom certificate ssl certificate path idetified certsrv subordinate ca renewal.png

    Useful Articles
    PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
    PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
    PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
    PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
    PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
    PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
    PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
    PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION



    http://vcloud-lab.com/entries/vcenter-server/How-to-replace-default-vCenter-VMCA-certificate-with-Microsoft-CA-signed-certificate
Log in to reply
 

© Lightnetics 2024