If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA.
The certificate must meet the following requirements:
- Key size: 2048 bits or more (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
- x509 version 3
- For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
- SubjectAltName must contain DNS Name=<machine_FQDN>
- CRT format
- Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
- Start time of one day before the current time
- CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
- Send CSRs for the following certificates to your enterprise or third-party certificate provider.
- A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN)
- Optionally, four solution user certificates for each embedded system or management node. Solution user certificates should not include IP address, host name, or email address. Each certificate must have a different certificate Subject.
Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each Platform Services Controller or management node.
- List the TRUSTED_ROOTS and machine SSL stores.
vecs-cli store list
- Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
- Note down the Serial number, issuer, and Subject CN fields.
- (Optional) With a Web browser, open a HTTPS connection to a node where the certificate will be replaced, check the certificate information, and ensure that it matches the machine SSL certificate.
- Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
service-control --stop --all service-control --start VMWareAfdService service-control --start VMWareDirectoryService service-control --start VMWareCertificateService
- vCenter Server Appliance
service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmcad
- Publish the custom root certificat, which is the signing certificate from the third-party CA.
dir-cli trustedcert publish --cert <my_custom_root>If you do not specify a user name and password on the command line, you are prompted.
- Restart all services.
service-control --start --all