How to configure vCenter 6.5 as a Subordinate CA

After getting super annoyed with clicking “Advanced” and then “Proceed to vCenter (unsafe)” every single time I needed to go to the vSphere Web Client it was time for me to solve this once and for all.

Subordinate CA

Let’s get started!


  • Configured Microsoft CA (link)
  • vSphere and vCenter Certificate Templates (link)

    Generate Certificate Signing Request (CSR)

    SSH to your vCenter Server when using vCenter with the Embedded Platform Service Controller (PSC) or SSH to PSC when using the external PSC.

    Enable the BASH shell and set it to the default shell (link).

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 2.

    Read More

    Automating the vRealize Automation Manager Service Failover

    During a couple of vRealize Automation (vRA) design engagements I had to explain that the vRealize Automation Manager Service doesn’t have an Automated Failover process (active/passive) and relies on a manual intervention. This was quite hard for the customers to understand and accept because of active / active redundancy of other vRA components like the Web Service.

    So OK what does the vRA Manager Service do (link)?

    The Manager Service is a Windows service that coordinates communication between IaaS DEMs, the SQL Server database, agents, and SMTP. IaaS requires that only one Windows machine actively run the Manager Service. For backup or high availability, you may deploy additional Windows machines where you manually start the Manager Service if the active service stops.

    And that last part is something my customers didn’t like (at all) because this depends on a person to activate the service manually. OK then how can we solve this?

    Automating the Manager Service Failover

    I like to keep things simple and wanted to Automate the Manager Service failover with vRealize Operations (vROps) monitoring the service and kicking off an action when the service is down. Eventually I got this to work but this took way too much effort and didn’t like the complex setup of vROps sending a SNMP trap to vRO and then let vRO kick off a Powershell script on the vRA IaaS Manager server. So back to the drawing board and the solution was way too simple… Running a scheduled task on the Secondary vRA IaaS Manager server that checks the Manager Service on the Primary and then starts it locally when the service is down.


  • Powershell allows the execution of scripts
  • Scheduled task is running under the vRA Service Account
    The Script

    Read More