vSphere 6 includes a new certificate authority that issues certificates for all of the different components within your environment to ensure communications are secure. If you want to use VMCA as a Subordinate CA from an Enterprise CA in your environment you need to change the VMCA Root Certificate on the Platform Services Controller (PSC) prior to installing vCenter or adding any new components to the environment. This article covers the steps in brief assuming you have a Windows based PSC and a Windows Enterprise CA (based on Windows 2012 R2).
The following assumes you are executing these commands from a Windows Platform Services Controller with vSphere 6.0. Note: Anywhere you see a single dash on this page it should be two dashes without a space – -. You may get errors if you just copy the text from this page.
Back up and edit “C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg”, the default looks like this:
Country = US Name= Acme Organization = AcmeOrg OrgUnit = AcmeOrg Engineering State = California Locality = Palo Alto IPAddress = 127.0.0.1 Email = email@example.com Hostname = server.acme.com
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –initcsr –privkey=privatekey.pem –pubkey=publickey.pem –csrfile=myrequest.csr
Submit the request to your CA, if you’re using a Windows CA (for example 2012 R2), you may be able to use the web interface or the command line tools. Ensure the certificate request is submitted as a Subordinate Certificate Authority request. For the web certificate submission use http://<YourCA>/CertSrv. In most enterprise environments you would likely send the request to your security team or the team that manages the PKI environment.
When your request is approved download the certificate and certificate chain in base 64 encoded format. Download the Root CA Cert also in base 64 encoded format.
Now we have to create the combined VMCA and Root CA certificate chain file in pem format. To do this we copy the VMCA certificate and then the Root CA certificate to a new file.
type vmcacert.crt >> vmcaroot.pem
type rootcacert.crt >>vmcaroot.pem
This creates the combined pem file with both the VMCA Certificate and the Root CA certificate.
Your should now stop all services and start only those services to do with certificate management:
“C:\Program Files\VMware\vCenter Server\bin\service-control” –stop –all
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareAfdService
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareDirectoryService
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareCertificateService
Now you add the new root VMCA certificate to the Platform Services Controller.
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –rootca –cert=vmcaroot.pem –privkey=privatekey.pem
If you’ve done everything right you should get a message saying Status: Success
Now you can start all of the services again.
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start –all
Note: For those wondering, yes the W in the service names is capital. Whoever wrote these service names didn’t talk to the marketing department about the capatalisation standards.
To verify the new root cert has been applied correctly run the following command:
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –getrootca
If you want to remove the original root certificate then you will have to refresh the Security Token Service (STS) Root Certificate, and replace the VMware Directory Service Certificate.
Now your VMCA as part of your PSC will issue certificates with the correct certificate chain and be trusted by any members of your domain. The communications between the components in your VMware vSphere 6 environment will be secure, and you shouldn’t get those annoying warning messages popping up.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com. By Michael Webster +. Copyright © 2012 – 2015 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.