Replacing VMCA Self Signed certificate with a Windows Signed certificate

While many companies advise to ‘simply ignore’an invalid certificate warning on internal sites, this will encourage incorrect public browser behavior. As a result, employee’s will more likely ignore browser warnings on public sites as well, which can end in exposing the company vulnerable to malware and other exploits.

The correct use of an SSL certificate signed by a trusted certificate authority (CA), removes the warning and encourages employees to safe public browsing.

In this blogpost, I would like to explain how you can replace the default self-signed certificate from a VMware vCenter Server with a signed certificate of an internal CA.

Overview steps

The replacement procedure is fairly simple and straight forward. We first create a certificate request file. Present this request file to our internal certificate authority. Sign the request and have the signed certificate file uploaded to the vCenter. As last action we’ll replace the existing certificates with the signed certificate.

Creating a request file

  • Login to your VMware vCenter Server with a SSH Client
  • Login with root account
  • Enable shell, if not yet enabled
  • set –enabled True (if shell is not enabled)
  • Run the following command to initiate the certificate-manager
  • /usr/lib/vmware-vmca/bin/certificate-manager

VMware Certificate Manager

  • Choose option 1
  • You will be prompt to provide valid SSO and VC priviledged user credentials to continue. Use the default ‘administrator@vsphere.local’ user. This user has all required privileges to perform the required operations.

  • Choose option 1 to create the request file and key.
  • You will be asked to provide a valid directory to store the request file and key to.
    • A good example here could be to store them in /tmp
    • If you leave this option blank, it will store the key files under the root directory /root

  • In our example, the request file is named vmca_issued_csr.csr and is located in the root directory. Use a transfer tool like winSCP to copy the request file to your local computer.

Sign the request file against your CA

Browse to your internal CA web enrollment page usually: http(s)://<fqdn-ca-server>/certsrv

  • Click Request a certificate
  • Choose advanced certificate request
  • Next, choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Open the vmca_issued_csr.csr file with a text editor like notepad. and copy the content.

An example looks like this

certificate CSR

  • As Certificate Template, choose Web Server
  • Press Submit

Certificate request

  • Ensure that Base 64 encoded is selected prior to downloading the signed certificate.
    • Save the singed certificate file as vmca_singed_cer.cer
  • Also download the chain in Base 64 encoding.
    • Save the chain as: vmca_singed_chain_p7b.p7b

(Optionally) Merge certificates when subordinate CA is present.

The certificate chain must be complete in order to replace the certificates on the VMware vCenter Server. When a subordinate certificate authority is present, we have to manually merge the certificates files into a single file.

  • In windows, right click the vmcc_signed_chain_p7b.p7b file and click open.

VMCA certificates

  • Export the root certificate and the subordinate certificates as base 64 encoded formats.
    • Name the root: root64.cer
    • Name the subordinate: sub_root64.cer
  • Upload all files (vmca_signed_cer.cer, root64.cer and sub_root64.cer) to the VMware vCenter Server.

Combine certificate chain

  • execute the following commands to merge the certificates into a single file.
    • more vmca_signed_cer.cer >> vmca_ca_signed_cer.cer
    • more sub_root64.cer >> vmca_ca_signed_cer.cer
    • more root64.cer >> vmcc_ca_signed_cer.cer

Replace the certificates with the CA signed and restart services.

  • /usr/lib/vmware-vmca/bin/certificate-manager
  • Choose 1
  • Enter your credentials and choose option 2 to import the uploaded certificates.

Import signed certificate

  • When you choose Y to continue the operation, the certificate replacement process starts and all services that are affected are replaced automatically.

Validate your configuration

  • Open a browser to your VMware vCenter Server and inspect the certificate. If your chain is valid and correct, you should no longer receive a warning (Under condition that your certificate chain is available in your trusted store).

Client certificate chain

Leave a comment if you have any thoughts or questions on this procedure.


One comment on “Replacing VMCA Self Signed certificate with a Windows Signed certificate

Leave a Reply

Your email address will not be published. Required fields are marked *