If you are using vCSA 6.x, maybe you want to replace the self-signed certificate by a certificate signed with your enterprise to avoid security alert in browser. Active Directory Certificate Services is an enterprise PKI and in this topic, I’ll show you how to replace vCSA 6.5u1 certificate by a custom certificate.
By replacing the certificate, your browser will not warn you anymore because of untrusty certificate and you get stronger security.
Requirements
To follow this topic, you need a working PKI based on AD CS. The root and intermediate certificates must be distributed on your computer. You need also a working vCSA 6.5u1 with SSH and bash enabled.
Generate a certificate request
First of all, connect to the vCSA by using SSH and launch the bash by typing Shell. Then run /usr/lib/vmware-vmca/bin/certificate-manager. On the first prompt, choose option 1.
Enter administrator credentials and choose again the number 1.
Then specify the following options:
- Output directory path: path where will be generated the private key and the request
- Country: your country in two letters
- Name: The FQDN of your vCSA
- Organization: an organization name
- OrgUnit: type the name of your unit
- State: country name
- Locality: your city
- IPAddess: provide the vCSA IP address
- Email: provide your E-mail address
- Hostname: the FQDN of your vCSA
- VMCA Name: the FQDN where is located your VMCA. Usually the vCSA FQDN
Once the private key and the request is generated, type the following command in order to connect with WinSCP to your vCSA.
Download WinSCP from this location and install it. Configure the connection as the following:
Once connected to your vCSA, download the vmca_issued_csr.csr file.
Sign the request with ADCS
Open the certification authority console and right click on the name of your CA. Select All Tasks | Submit new request…. Then select the CSR file you have downloaded from vCSA.
Then navigate to pending request and right click on the request. Select All Tasks | Issue.
Now navigate to issued certificate and double click on the certificate you just issued. Then navigate to Details | Copy to file.
Export the certificate in Base-64 encoeded X.509 format.
With WinSCP, copy the signed certificate and the CA certificate to the vCSA.
N.B: If your PKI is based on a multi-tier (Root CA and Sub Cas), you need to concatenate each CA certificate of the certification chain in a .PEM file.
Replace vCSA 6.5u1 certificate
Run again /usr/lib/vmware-vmca/bin/certificate-manager and select option 1. Specify administrator credentials and this time select option 2.
Then specify the signed certificate, the private key and the CA certificate (or a concatenated PEM file with all CA certificates, in case of multi-tier PKI).
If the certificate is good, you should see that each service is updated. When all service is updated, the vCSA restart.
N.B: I have seen in production that the certificate replacement doesn’t work because of plugin. In this case, you’ll see which service make the issue. Disable the plugin and try again.
Once vCSA has restarted, connect to the Web Service by using a Browser. You should see your custom certificate as below:
Hi! It’s cool guide, but after vcsa has been restarted in my browser I see error. Certificate is not trusted. I used a vsca name rn-vcsa.vmware.firma.com. What am I doing wrong ?
Hi,
Have you downloaded the root CA (and intermediate) and place them into your computer certificate store ?
you can download the CA certificate from https://YourCAserver/certsrv
in the Home, option “Download a CA certificate, certificate chain, or CRL” Download it in base 64 to upload it through WinSCP to the Vcenter as indicated in the instructions above.
Perfect! Thank you for this step-by-step guide )))
But, in field “VMCA Name” you need to provide FQDN of your CA (in my case – FQDN of Root CA of AD CS )
I always provided the FQDN of vCenter in VMCA Name and it’s work :). Maybe I make a mistake.
Hi,
I’ve just found the solution here: https://kb.vmware.com/s/article/2136693
Kind regards!
Does the certificate require having the short name as a SAN? i.e. vcsa.domain.local with SAN of vcsa?
Hi,
I always set the FQDN for the SAN. Then if I remember well, the wizard add the short name automatically.
Can you do the same with CA local? because from my AD the CA console doesn´t recognize the CSR file, just .req, .txt, .cmc .der not .csr as request file 🙁
The request does not contain a certificate template extension or the certificate template request attribute …. what about that error when trying to submit
Use the command certreq with -attrib option : certreq.exe -submit -attrib “CertificateTemplate:FroWebServer” certifcatesigningrequest.csr
done it, but it seems that you can achive the same by doing it from the web https://CAserver/certsrv
I don’t like the web interface. I never use it 🙂
From the server with IE I wasn´t able to see all the template options, after accesing from my PC with Chrome (¡?hahah) All the options were available.
(still wonder why you don´t like it!? XD)
thks 4 the tutorial my friend, It was very useful. Keep on doing such great job
It works only using this 3 files with VCSA 6.5 Update 3:
signed VCSA certificate file vcsa_issued_csr_cer
+
private VCSA key file vcsa_issued_key.key
+
concatenated intermediate + root PEM file (copy/paste in vi editor) file vcsa_issued_con.pem