vSphere 6 includes a new certificate authority that issues certificates for all of the different components within your environment to ensure communications are secure. If you want to use VMCA as a Subordinate CA from an Enterprise CA in your environment you need to change the VMCA Root Certificate on the Platform Services Controller (PSC) prior to installing vCenter or adding any new components to the environment. This article covers the steps in brief assuming you have a Windows based PSC and a Windows Enterprise CA (based on Windows 2012 R2).
The following assumes you are executing these commands from a Windows Platform Services Controller with vSphere 6.0. Note: Anywhere you see a single dash on this page it should be two dashes without a space – -. You may get errors if you just copy the text from this page.
Back up and edit “C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg”, the default looks like this:
Country = US Name= Acme Organization = AcmeOrg OrgUnit = AcmeOrg Engineering State = California Locality = Palo Alto IPAddress = 127.0.0.1 Email = firstname.lastname@example.org Hostname = server.acme.com
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –initcsr –privkey=privatekey.pem –pubkey=publickey.pem –csrfile=myrequest.csr
Submit the request to your CA, if you’re using a Windows CA (for example 2012 R2), you may be able to use the web interface or the command line tools. Ensure the certificate request is submitted as a Subordinate Certificate Authority request. For the web certificate submission use http://<YourCA>/CertSrv. In most enterprise environments you would likely send the request to your security team or the team that manages the PKI environment.
When your request is approved download the certificate and certificate chain in base 64 encoded format. Download the Root CA Cert also in base 64 encoded format.
Now we have to create the combined VMCA and Root CA certificate chain file in pem format. To do this we copy the VMCA certificate and then the Root CA certificate to a new file.
type vmcacert.crt >> vmcaroot.pem
type rootcacert.crt >>vmcaroot.pem
This creates the combined pem file with both the VMCA Certificate and the Root CA certificate.
Your should now stop all services and start only those services to do with certificate management:
“C:\Program Files\VMware\vCenter Server\bin\service-control” –stop –all
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareAfdService
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareDirectoryService
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start VMWareCertificateService
Now you add the new root VMCA certificate to the Platform Services Controller.
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –rootca –cert=vmcaroot.pem –privkey=privatekey.pem
If you’ve done everything right you should get a message saying Status: Success
Now you can start all of the services again.
“C:\Program Files\VMware\vCenter Server\bin\service-control” –start –all
Note: For those wondering, yes the W in the service names is capital. Whoever wrote these service names didn’t talk to the marketing department about the capatalisation standards.
To verify the new root cert has been applied correctly run the following command:
“C:\Program Files\VMware\vCenter Server\vmcad\certool” –getrootca
If you want to remove the original root certificate then you will have to refresh the Security Token Service (STS) Root Certificate, and replace the VMware Directory Service Certificate.
Now your VMCA as part of your PSC will issue certificates with the correct certificate chain and be trusted by any members of your domain. The communications between the components in your VMware vSphere 6 environment will be secure, and you shouldn’t get those annoying warning messages popping up.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com. By Michael Webster +. Copyright © 2012 – 2015 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
I was looking at the doc about Refresh the Security Token Service (STS) Root Certificate but I really don’t understand the instructions… did you investigate the matter?
I don’t even know if I need it, I used the vSphere Manager Certificate Manager Utility but I don’t see listed the original root ca so I believe I should refresh the STS Root Cert.
Hi Andrea, The documentation is not easy to follow and doesn't actually work. Derek Seaman has written a series of blogs on how to get the certificates working and also the whole install of vSphere 6. I would recommend you check out what he has written – http://www.derekseaman.com/2015/04/vsphere-6-0-in…. If that doesn't cover the particular bit you're after then there are VMware KB's on 5.5, but the 6.0 KB's aren't yet available from what I've seen. I would suggest logging a support request with VMware. The more customers who seek to get the process improved the better.
Thank you for your reply, I’m in the process of writing about just the same subject using the VCSA 6 and I can’t find directions about the specific subject I asked you about.
Thank you for the links too!
[…] 6: VMware Certificate Authority (VMCA): Design Decisions (Ather Beg’s Useful Thoughts) vSphere 6: Using VMCA as a Subordinate CA (Long White Virtual Clouds) vSphere 6 Certificate Lifecycle Management (MyVirtuaLife.Net) VMware […]
This kinda works, but not completely. You will get some problems later, atleast I did. Had to change the cert to a self signed again:
C:\Program Files\VMware\vCenter Server\vmcad>certool.exe –selfca –config selfcert.cfg
Using config file : selfcert.cfg
Status : Success
After doing this I was able to use VMware’s built in certificate-manager and I used the same certificate as I did with certool mentioned in this blog.
I actually followed the steps for “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates (Using VMCA as a subordinate CA)” as desribed in this blog posting:
Does it also sign the update services certificate or need to do this manual
If not how do generate a new cert for the update services ?