In this post we will go through generating and applying a custom SSL cert for VMware vCenter 6.7 Appliance.
When VCSA is installed it generates a self singed cert which cause users to get a cert error when connecting. I used the below VMware doc when setting up the cert.
I have already configure a Windows CA so this or another CA will be a requirement before creating the cert.
Before attempting this in production make a backup or take a snapshot to allow quick recovery in case of any issues.
To generate the cert signing request (CSR) , we will use the certificate-manager CLI
To connect I enable SSH on the appliance.
Then used putty client to connect.
First I created a folder that will be used to export the CSR and private key.
Once created we can then run certificate manager using the below.
We want to replace the Machine certificate with custom cert so select option 1.
Enter the users name and password and select option 1 to generate CSR.
put in the require information below are the fields and values
|Country||use your own country|
|Organization||Use your own company name|
|OrgUnit||use your own|
|IPAddress||vCenter IP Address|
|VMCA Name||vCenter FQDN|
Once the CSR has been created,
use a client like WinSCP to connect to vCenter and go to the specified folder above in my case this was the cert folder and copy the CSR file.
Now go to your CA to submit the CSR, I will be using the web enrolment.
Click on request a certificate
Click on submit an advanced certificate request.
Click submit a certificate request.
Open the CSR file using notepad and copy the txt
Paste the txt in to the saved request box and select the template I created a custom template for web servers.
Once submitted you should get the option to download the cert selected base 64 encoded as this is required by vCenter.
Once downloaded, upload the cert back to vCenter using WinSCP
Launch certificate manager again and select option 1 but then option 2 to import the custom cert.
Enter in the details cert file that will be used for vCenter, the private key that was issued with the CSR request and the CA cert file.
You should now the service being updated.
Once completed vCenter should now be using the custom SSL cert.