How to configure vCenter 6.5 as a Subordinate CA

After getting super annoyed with clicking “Advanced” and then “Proceed to vCenter (unsafe)” every single time I needed to go to the vSphere Web Client it was time for me to solve this once and for all.

 
Subordinate CA

Let’s get started!

Pre-requisites

  • Configured Microsoft CA (link)
  • vSphere and vCenter Certificate Templates (link)
  •  

    Generate Certificate Signing Request (CSR)

    SSH to your vCenter Server when using vCenter with the Embedded Platform Service Controller (PSC) or SSH to PSC when using the external PSC.

    Enable the BASH shell and set it to the default shell (link).

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 2.

    Select Y.

    Provide the SSO and vCenter privileged user credentials.

    NOTE Anyone noticed the typo? 🙂

    Now comes the part where you have to pay attention, configure the config files for the CSRs.

    Select Option 1.

    Provide a path to save the CSR(s) and PrivateKey(s) to for example /tmp.

    And the last step of this is to configure the certool.cfg.

    NOTE Do not close the certificate-manager tool!

    Now open you favorite Secure Copy Tool (for example WinSCP) and download the file vmca_issued_csr.csr from the server you created it on.

     

    Obtain the Subordinate CA Certificate from a Microsoft CA

    Open your favorite browser and browse to the Microsoft Certificate Authority web interface, for example http://CAFQDN/certsrv.

    Select “Request a certificate” and then select “advanced certificate request”.

    Paste the content from the vmca_issued_csr.csr file in the “Saved Request” field and select the created “Certificate Template” for the vCenter Root CA and select “Submit”.

    vCenter65-CA-02

    Save the generated certificate as a base64 chain file.

    vCenter65-CA-03

    Open the downloaded certificate chain and export the certificates from that chain.

    vCenter65-CA-04

    Here it gets interesting, the exported certificates must be merged into one certificate. This can be done from a command prompt. If you have only a CA without an intermediate CA run the following command:

    And if you have have CA with an intermediate CA run the following command:

    Copy the vmca_issued_cer.cer back to the /tmp folder on the server that you created the CSR.

    Import the CA signed certificate on your vCenter Server with Embedded PSC

    Select Option 1.

    Provide the full path and filename for the Certificate file /tmp/vmca_issued_cer.cer and Key file /tmp/vmca_issued_key.key.

    Select Y and it’s time for coffee!

    Boom! 100% Completed! Now you can browse to your vSphere Web Client and enjoy the silence of no warning messages 🙂 .

     

    Import the CA signed certificate on your vCenter when you have an external PSC

    The steps to be taken are really similar to the steps above so only the steps are explained and not shown.

    SSH to your vCenter Server when using vCenter with an External Platform Service Controller (PSC).

    Enable the BASH shell and set it to the default shell (link)

    Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 3

    Provide the SSO and vCenter privileged user credentials.

    Provide the PSC IP address.

    Provide the configuration file config for the vCenter Server.

    Select Y and yes it’s time for coffee again!

    Marco van Baggum

    Marco van Baggum

    Works as a Virtualization Consultant for ITQ. More details can be found on the About page

    7 thoughts on “How to configure vCenter 6.5 as a Subordinate CA

    1. Could you please take a look at this article once again.

      >Here it gets interesting, the exported certificates must be merged into one certificate. This can be done from a command prompt.
      >type PSC.cer inter.cer ca.cer > vmca_issued_cer.cer
      Where does those file names come from, you never mentioned them? The picture next to the text also only shows two certificates, not three.

      >Provide the full path and filename for the Certificate file /tmp/vmca_issued_cer.cer and Key file /tmp/vmca_issued_key.key.
      Then, right below, you write totally different file names in the field – file names we’ve never seen before.

      1. Hi,

        That is correct I don’t have an intermediate CA server like most companies do, so I only have to run:

        type PSC.cer ca.cer > vmca_issued_cer.cer

        I’ve updated this in the article, and I’ve updated the cert file in the field thanks for noticing 🙂

        Marco

    2. Great article, really appreciate it.

      Couple things I ran into just in case anyone else does too: when populating the various cfg files for the CSR the “name” field for each service was identical (vcenter). I had to use a unique “name” for each or when I imported the signed cert back in those services would fail to restart with the new cert and the vmca script would revert everything back to the default self-signed. I just used the service name (machine_ssl, machine, webclient, vpxd, vpxd-ext, etc) and it worked like a champ.

      Also, if there anyone as OCD as I am, the “Issued To” field on the final certificate after your CA has issued it is populated from the “Name” field on the final .cfg (certool.cfg) when generating the CSR.

    3. Hi,

      First of all thanks for the good article – unfortunatly I do have a problem and you might have an idea whats wrong?

      I did a fresh install of the VCSA 6.5U1 after running

      “Run /usr/lib/vmware-vmca/bin/certificate-manager and Select Option 2.”

      I see the message

      “Do you wish to generate all certificates using configuration file : Option[Y/N] ?”

      which I can confirm with “Y” as next step I login with the correct credentials, and then I see the following message:

      “certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ?”

      When I confirm the this with “Y” I can see this:

      “Press Enter key to skip optional parameters or use Previous value.

      Enter proper value for ‘Country’ [Previous value : CH] :

      etc”

      I never come to a point where I can configure “MACHINE_SSL_CERT.cfg”, “machine.cfg”, etc. do you may have any idea whats wrong?

      Thanks.

    4. Here’s a thing – when I ran the cert management tool, and selected option 2, I only got prompted to customize the certool.cfg file; none of the others. So when I got my certificate, it had only default entries for Country, locality, etc..

      1. Update: It would appear that something has changed since this article was written. It seems the Cert tool will only ask for certool.cfg entries, and then use those responses for all other certificate cfg files.

    5. Evidently things are changed even more. When I run this, like it did for @Chuck_Stevens, it only asked me to customize certool.cfg. It did not ask to update any of the other config files. Also, when it ran, it did not generate the CSR using the config file.

      My script output is:

      Output directory path: /vmca_temp
      2018-02-06T21:27:28.241Z Running command: [‘/usr/lib/vmware-vmca/bin/certool’, ‘–genkey’, ‘–privkey’, ‘/vmca_temp/vmca_issued_key.key’, ‘–pubkey’, ‘/tmp/pubkey.pub’]
      2018-02-06T21:27:28.442Z Done running command
      2018-02-06T21:27:28.443Z Running command: [‘/usr/lib/vmware-vmca/bin/certool’, ‘–gencsrfromcert’, ‘–privkey’, ‘/vmca_temp/vmca_issued_key.key’, ‘–cert’, ‘/var/lib/vmware/vmca/root.cer’, ‘–csrfile’, ‘/vmca_temp/vmca_issued_csr.csr’]
      2018-02-06T21:27:28.468Z Done running command

      CSR generated at: /vmca_temp/vmca_issued_csr.csr

      But when I decoded the CSR, it was using the default VMware config.
      So I manually ran the command adding the –config command:
      /usr/lib/vmware-vmca/bin/certool –gencsr –privkey /temp_vcma/vmca_issued_key.key –pubkey /tmp/pubkey.pub –config /var/tmp/vmware/certool.cfg –csrfile /temp_vmca/vmca_issued_csr.csr

      I decoded the new CSR and it correctly used my options so I submitted it to my ADCS and retrieved a new certificate. I uploaded the certificate and applied it to the VMCA and the script started executing, however it failed with:
      Error while reverting certificate for store : MACHINE_SSL_CERT
      Rollback Status : 0% Completed [Rollback operation failed]

      Error while performing rollback operation, please try Reset operation…

      please see /var/log/vmware/vmcad/certificate-manager.log for more information.

    Leave a Reply

    Your email address will not be published. Required fields are marked *