How to configure vCenter 6.5 as a Subordinate CA

After getting super annoyed with clicking “Advanced” and then “Proceed to vCenter (unsafe)” every single time I needed to go to the vSphere Web Client it was time for me to solve this once and for all.

 
Subordinate CA

Let’s get started!

Pre-requisites

  • Configured Microsoft CA (link)
  • vSphere and vCenter Certificate Templates (link)
  •  

    Generate Certificate Signing Request (CSR)

    SSH to your vCenter Server when using vCenter with the Embedded Platform Service Controller (PSC) or SSH to PSC when using the external PSC.

    Enable the BASH shell and set it to the default shell (link).

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 2.

    Select Y.

    Provide the SSO and vCenter privileged user credentials.

    NOTE Anyone noticed the typo? 🙂

    Now comes the part where you have to pay attention, configure the config files for the CSRs.

    Select Option 1.

    Provide a path to save the CSR(s) and PrivateKey(s) to for example /tmp.

    And the last step of this is to configure the certool.cfg.

    NOTE Do not close the certificate-manager tool!

    Now open you favorite Secure Copy Tool (for example WinSCP) and download the file vmca_issued_csr.csr from the server you created it on.

     

    Obtain the Subordinate CA Certificate from a Microsoft CA

    Open your favorite browser and browse to the Microsoft Certificate Authority web interface, for example http://CAFQDN/certsrv.

    Select “Request a certificate” and then select “advanced certificate request”.

    Paste the content from the vmca_issued_csr.csr file in the “Saved Request” field and select the created “Certificate Template” for the vCenter Root CA and select “Submit”.

    vCenter65-CA-02

    Save the generated certificate as a base64 chain file.

    vCenter65-CA-03

    Open the downloaded certificate chain and export the certificates from that chain.

    vCenter65-CA-04

    Here it gets interesting, the exported certificates must be merged into one certificate. This can be done from a command prompt. If you have only a CA without an intermediate CA run the following command:

    And if you have have CA with an intermediate CA run the following command:

    Copy the vmca_issued_cer.cer back to the /tmp folder on the server that you created the CSR.

    Import the CA signed certificate on your vCenter Server with Embedded PSC

    Select Option 1.

    Provide the full path and filename for the Certificate file /tmp/vmca_issued_cer.cer and Key file /tmp/vmca_issued_key.key.

    Select Y and it’s time for coffee!

    Boom! 100% Completed! Now you can browse to your vSphere Web Client and enjoy the silence of no warning messages 🙂 .

     

    Import the CA signed certificate on your vCenter when you have an external PSC

    The steps to be taken are really similar to the steps above so only the steps are explained and not shown.

    SSH to your vCenter Server when using vCenter with an External Platform Service Controller (PSC).

    Enable the BASH shell and set it to the default shell (link)

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 3

    Provide the SSO and vCenter privileged user credentials.

    Provide the PSC IP address.

    Provide the configuration file config for the vCenter Server.

    Select Y and yes it’s time for coffee again!

    Marco van Baggum

    Marco van Baggum

    Works as a Virtualization Consultant for ITQ. More details can be found on the About page

    3 thoughts on “How to configure vCenter 6.5 as a Subordinate CA

    1. Could you please take a look at this article once again.

      >Here it gets interesting, the exported certificates must be merged into one certificate. This can be done from a command prompt.
      >type PSC.cer inter.cer ca.cer > vmca_issued_cer.cer
      Where does those file names come from, you never mentioned them? The picture next to the text also only shows two certificates, not three.

      >Provide the full path and filename for the Certificate file /tmp/vmca_issued_cer.cer and Key file /tmp/vmca_issued_key.key.
      Then, right below, you write totally different file names in the field – file names we’ve never seen before.

      1. Hi,

        That is correct I don’t have an intermediate CA server like most companies do, so I only have to run:

        type PSC.cer ca.cer > vmca_issued_cer.cer

        I’ve updated this in the article, and I’ve updated the cert file in the field thanks for noticing 🙂

        Marco

    2. Great article, really appreciate it.

      Couple things I ran into just in case anyone else does too: when populating the various cfg files for the CSR the “name” field for each service was identical (vcenter). I had to use a unique “name” for each or when I imported the signed cert back in those services would fail to restart with the new cert and the vmca script would revert everything back to the default self-signed. I just used the service name (machine_ssl, machine, webclient, vpxd, vpxd-ext, etc) and it worked like a champ.

      Also, if there anyone as OCD as I am, the “Issued To” field on the final certificate after your CA has issued it is populated from the “Name” field on the final .cfg (certool.cfg) when generating the CSR.

    Leave a Reply

    Your email address will not be published. Required fields are marked *