How to use vSphere Certificate Manager to Replace SSL Certificates (2097936)

---

Last Updated: 06.10.2021Categories: How toTotal Views: 5455 115Language:                 Chinese (Simplified)JapaneseEnglish                         SUBSCRIBE

Learn how VMware Skyline Advisor and Skyline Health Diagnostics work together to provide proactive intelligence and self-service log analysis.

• Use Skyline Advisor to avoid issues before they occur across VCF, vSphere, vSAN, NSX, vROps & Horizon. Skyline Findings are based on top KBs, VMSAs/CVEs and design best practices.
• Use Skyline Health Diagnostics to root cause vSphere & vSAN logs when an issue occurs. Skyline Health Diagnostic Findings are based on top KBs and VMSA/CVEs. You can use the Skyline Health Diagnostics tool in online or offline mode.
• If you require additional help from technical support, please use Skyline Advisor to initiate a Log Assist to reduce time to upload logs. TSEs can also initiate logs to reduce effort.

Purpose

This article explains when and how to use vSphere Certificate Manager in vSphere versions 6.x and 7.x.

Use of vSphere Certificate Manager:

The vSphere Certificate Manager can be used to:

• Implement Default Certificates
• Replace VMCA Certificate with a custom CA Certificate
• Replace all vSphere Certificates and Keys with custom CA Certificates and Keys

Implement Default Certificates (use Option 4 or 8):

• This option can be used when you do not plan on implementing custom CA Certificates signed by either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
• In this environment, the vSphere certificates are generated and issued by the VMCA and stored by the vSphere Endpoint Certificate Store (VECS).
• These certificates are not trusted outside of vSphere by default.
• If Machine SSL & Solution User Certificates are expired, use Option 8 (Reset Certificates) to replace the Certificates

Replace VMCA Certificate with a custom CA Certificate (use Option 2):

• In this environment, you will replace the default VMCA Certificate and Key with a custom CA Certificate and Key from either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
• The VMCA will then be used to generate new vSphere certificates that will be signed by the previously imported custom CA Certificate and Key.
• These certificates issued by the VMCA will be trusted outside of vSphere.
   

Replace all vSphere Certificates and Keys with custom CA Certificates and Keys (use Option 5):

• In this environment, you will replace the Machine Certificate and all Solution User Certificates with custom CA Certificates signed by either an enterprise CA (like a Microsoft Windows CA) or a Commercial CA (Verisign, GoDaddy, etc.).
• The VMCA is not responsible for issuing these certificates.

Please note that in vSphere 7.x you can perform steps 1 and 2 through the vCenter user interface.

Resolution

Process to Update the Machine  SSL certificate or generate a certificate signing request:

Note: In vSphere vCenter 7.x, in the user interface, you can update the Machine  SSL certificate or generate a certificate signing request by going to

• Menu > Administration > Certificates > Certificate Management.

In the Machine SSL Certificate section, select the Actions pull-down menu.
For more information, refer: Managing Certificates with the vSphere Client

Note: In Windows, you must be logged in as an administrator or «Run as Administrator» if user access control is enabled.

To launch the vSphere Certificate Manager, execute the following commands:

• Windows vCenter Server: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
• vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager

When you run the certificate-manager command, you are presented with the 8 options as shown in the screenshots for Windows and appliance respectively.

Details of the Options:

Option #	Detail	Required Information
1	Replace the Machine SSL certificate with a Custom CA Certificate Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.	administrator@vsphere.local password.Path to a custom Certificate and Key for the Machine Certificate.Path to a custom Certificate for the VMCA Root
2	Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates. This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate.	administrator@vsphere.local passwordConfigure the certool.cfg file at /usr/lib/vmware-vmca/share/config/certool.cfg (used by VMCA when generating certificates)Root Signing CertRoot Signing Key Optional Information:Do you wish to replace all Solution User certificates with custom CA?YES: Paths to the custom Certificates and Keys for the Solution Users (vpxd, vpxd-extension, vsphere-webclient, machine).Note: You can also perform this step later using Option 5.NO: VMCA will generate new Certificates/Keys for Solution Users using the provided Custom CA Signing Certificate.Note: You can also perform this step later using Option 6. Do you wish to replace Machine SSL Certificate with custom CA?YES: Path to a custom Certificate and Key for the Machine Certificate.Note: You can also perform this step later using Option 1.NO: VMCA will generate a new Certificate/Key for Machine using the provided Custom CA Signing Certificate.Note: You can also perform this step later using Option 3.
3	Replace the Machine SSL certificate with a VMCA Generated Certificate	administrator@vsphere.local passwordConfigure the certool.cfg file (used by VMCA when generating certificates)
4	Regenerate a new default VMCA Root Certificate and Replace all Certificates	administrator@vsphere.local passwordConfigure the certool.cfg file (used by VMCA when generating certificates)
5	Replace the Solution User Certificates with Custom CA Certificates	administrator@vsphere.local passwordPath to the custom Root CA CertificatePath to the custom Certificate and Key for vpxd Solution UserPath to the custom Certificate and Key for vpxd-extension Solution UserPath to the custom Certificate and Key for vSphere-webclient Solution UserPath to the custom Certificate and Key for machine Solution UserIf vCenter Server is 7.0, the path to the Custom Certificate and Key for hvc & wcp Solution Users
6	Replace the Solution User Certificates with VMCA generated Certificates	administrator@vsphere.local password
7	Revert last performed operation by re-publishing old certificates	administrator@vsphere.local password
8	Reset all certificates	administrator@vsphere.local passwordConfigure the certool.cfg file (used by VMCA when generating certificates)

Note: The Certool.cfg is located at:

• C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
• Configuration file locations in vCenter Server Appliance and Platform Service Controler Appliance(External PSC):
  • vCenter Server Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg
  • External Platform Service Controller Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg

The default configuration of certool.cfg should look like the following Screenshot:

If the PNID on the vCenter is unknown, it can be obtained with this command for Windows or the VCSA respectively:

C:\Program Files\VMware\vCenter Server\vmafdd\» vmafd-cli.exe get-pnid —server-name localhost

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid —server-name localhost

Related Information

• VMware Skyline Health Diagnostics for vSphere — FAQ
• For more information on implementing CA signed certificates, see: Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219) 
• Using certool to generate CSRs that include multiple DNS names for one host

Note: Currently, vCenter Server integrates only with VMCA. The vSphere Certificate Manager and VMCA cannot be used to issue certificates to any other products.
 

Log file locations:

• The vSphere Certificate Manager stores a certificate-manager.log file in these locations:
  • Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
  • vCenter Server Appliance 6.x/7.x: /var/log/vmware/vmcad/certificate-manager.log
     
• The certool.cfg file is located at:
  
  C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
• Configuration file locations in vCenter Server Appliance and Platform Service Controler Appliance:
  • vCenter Server Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg
  • Platform Service Controller Appliance: /usr/lib/vmware-vmca/share/config/certool.cfg