Set Custom SSL Certificate on VMware vCenter 6.7 Appliance using Windows CA

In this post we will go through generating and applying a custom SSL cert for VMware vCenter 6.7 Appliance.

When VCSA is installed it generates a self singed cert which cause users to get a cert error when connecting. I used the below VMware doc when setting up the cert.

Replace Machine SSL Certificate with Custom Certificate (vmware.com)

I have already configure a Windows CA so this or another CA will be a requirement before creating the cert.

Before attempting this in production make a backup or take a snapshot to allow quick recovery in case of any issues.

To generate the cert signing request (CSR) , we will use the certificate-manager CLI

To connect I enable SSH on the appliance.

Then used putty client to connect.

First I created a folder that will be used to export the CSR and private key.

Once created we can then run certificate manager using the below.

/usr/lib/vmware-vmca/bin/certificate-manager

We want to replace the Machine certificate with custom cert so select option 1.

Enter the users name and password and select option 1 to generate CSR.

put in the require information below are the fields and values

FieldValue
Countryuse your own country 
NamevCenter FQDN 
OrganizationUse your own company name
OrgUnituse your own 
Stateown state
IPAddressvCenter IP Address 
HostnamevCenter FQDN 
VMCA NamevCenter FQDN 

Once the CSR has been created,

use a client like WinSCP to connect to vCenter and go to the specified folder above in my case this was the cert folder and copy the CSR file.

Now go to your CA to submit the CSR, I will be using the web enrolment.

Click on request a certificate

Click on submit an advanced certificate request.

Click submit a certificate request.

Open the CSR file using notepad and copy the txt

Paste the txt in to the saved request box and select the template I created a custom template for web servers.

Once submitted you should get the option to download the cert selected base 64 encoded as this is required by vCenter.

Once downloaded, upload the cert back to vCenter using WinSCP

Launch certificate manager again and select option 1 but then option 2 to import the custom cert.

/usr/lib/vmware-vmca/bin/certificate-manager

Enter in the details cert file that will be used for vCenter, the private key that was issued with the CSR request and the CA cert file.

You should now the service being updated.

Once completed vCenter should now be using the custom SSL cert.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s