If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA.
The certificate must meet the following requirements:
Key size: 2048 bits or more (PEM encoded)
PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
x509 version 3
For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Start time of one day before the current time
CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
- Send CSRs for the following certificates to your enterprise or third-party certificate provider.
A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN)
Optionally, four solution user certificates for each embedded system or management node. Solution user certificates should not include IP address, host name, or email address. Each certificate must have a different certificate Subject.
Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each Platform Services Controller or management node.
- List the TRUSTED_ROOTS and machine SSL stores.
vecs-cli store list
- Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
- Note down the Serial number, issuer, and Subject CN fields.
- (Optional) With a Web browser, open a HTTPS connection to a node where the certificate will be replaced, check the certificate information, and ensure that it matches the machine SSL certificate.
- Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
service-control --stop --all service-control --start VMWareAfdService service-control --start VMWareDirectoryService service-control --start VMWareCertificateService
vCenter Server Appliance
service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmcad
- Publish the custom root certificat, which is the signing certificate from the third-party CA.
dir-cli trustedcert publish --cert <my_custom_root>
If you do not specify a user name and password on the command line, you are prompted.
- Restart all services.
service-control --start --all
What to do next
You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to refresh these internal certificates: