Replacing vSphere 6 Solution user certificates with CA signed certificates

In our last post Replacing Esxi 6 SSL Certificates we learned how to replace Esxi host default certificates with CA signed certificates. In this post we will learn how to replace vSphere 6 solution user certificates with customer certificates signed by CA.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

6: Replacing Esxi 6 SSL Certificates

Solution Users use SSL Certificates for internal communication and endpoint registration in vSphere 6. For vCenter with embedded PSC, there are four Solution User Certificates:

  • machine
  • vpxd
  • vpxd-extension
  • vsphere-webclient

We will be replacing certificates for all the solution user in this post.

Follow below steps to replace the solution user certificates:

1: Creating Certificate Signing Request

Launch the certificate manager utility

Press 5 to select “Replace solution user certificates with custom certificates”

Provide password of SSO account

Select option 1 “Generate Certificate signing Request(s) and key(s) for solution user certificates”

sol-1

Provide path to directory where you want to store the .csr files

sol-2.PNG

You will see following files created in the provided directory

sol-3

4: Get the signed certs from your CA server

Copy machine.csr, vpxd.csr,vpxd-extension.csr and vpshere-webclient.csr files to your CA server and repeat following steps foe each csr file

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Select  vSphere6 when selecting the Certificate Template and hit Submit to submit the request. For certificates templates please follow VMware KB-2112009
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

Save the files as machine.cer, vpxd.cer,vpxd-extension.cer and vpshere-webclient.cer respectively.

At last download the CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”.

Click on Download CA certificate and save the downloaded file as Root64.cer.

Copy all the 5 files back to your vCenter Server.

5: Replace the certificates

Launch certificate manager again and select option 5 and then Option 2 (Import Custom certificate(s) and key(s) for Solution User Certificates).

sol-4.PNG

Provide path to the generated .cer files and respective key files to complete the certificate replacement process

sol-5

Thats it. We have now successfully replaced the defaults certs for solution users with CA signed certificate.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Leave a Reply