You can replace the VMCA root certificate with a CA-signed certificate that includes VMCA as an intermediate certificate in the certificate chain. Going forward, all certificates that VMCA generates include the full chain.
You run vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller to replace the VMCA root certificate with a custom signing certificate.
vSphere Certificate Manager prompts you for the following information:
- Generate the CSR.
- You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements:
- Key size: 2048 bits or more
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
- x509 version 3
- If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.
- CRL signing must be enabled.
- Enhanced Key Usage must not contain Client Authentication or Server Authentication.
- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
- Certificates with wildcards or with more than one DNS name are not supported.
- You cannot create subsidiary CAs of VMCA.
See VMware Knowledge Base Article 2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0, for an example using Microsoft Certificate Authority.
- After you receive the certificate from your third-party or enterprise CA, combine it with the initial VMCA root certificate to generate a full chain with the VMCA root certificate at the bottom. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA).
- Gather the information you will need.
- Password for email@example.com.
- Valid custom certificate for Root (.crt file).
- Valid custom key for Root (.key file).
- Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2.
- Select option 2 to start certificate replacement and respond to the prompts.
- Specify the full path to the root certificate when prompted.
- If you are replacing certificates for the first time, you are prompted for information to be used for the machine SSL certificate.
This information includes the required FQDN of the machine and is stored in the certool.cfg file.
- If you replace the root certificate in a multi-node deployment, you must restart services on all vCenter Server.
- In multi-node deployments, regenerate all certificates on each vCenter Server instances by using options 3 (Replace Machine SSL certificate with VMCA Certificate) and 6 ( Replace Solution user certificates with VMCA certificates).
When you replace the certificates, VMCA signs with the full chain.
What to do next
- If company policy requires that you replace all certificates, replace the vmdir root certificate. See Replace the VMware Directory Service Certificate
- If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments