The first step in replacing the VMCA certificates with custom certificates is generating a CSR, sending the CSR to be signed, and adding the signed certificate to VMCA as a root certificate.

About this task

You can use the Certificate Manager utility or other tool to generate the CSR. The CSR must meet the following requirements:

  • Key size: 2048 bits or more

  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

  • x509 version 3

  • If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.

  • CRL signing must be enabled.

  • Enhanced Key Usage must not contain Client Authentication or Server Authentication.

  • All nodes in your environment must be time synchronized.

  • No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is ten certificates.

  • VMCA does not support certificates with wildcards or with more than one DNS name.

  • You cannot create subsidiary CAs of VMCA.

    See VMware Knowledge Base Article 2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0, for an example using Microsoft Certificate Authority.

VMCA validates the following certificate attributes when you replace the root certificate:

  • Key size 2048 bits or more

  • Key Usage: Cert Sign

  • Basic Constraint: Subject Type CA

Procedure

  1. Generate a CSR and send it to your CA.

    Follow your CA's instructions.

  2. Prepare a certificate file that includes the signed VMCA certificate along with the full CA chain of your third party CA or enterprise CA, and save the file, for example, as rootca1.crt.

    You can accomplish this by copying all CA certificates in PEM format into a single file. You have to start with the VMCA certificate root and end with the root CA PEM certificate. For example:

    -----BEGIN CERTIFICATE-----
    <Certificate of VMCA>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Certificate of intermediary CA>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <Certificate of Root CA>
    -----END CERTIFICATE-----
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.

    The service names differ on Windows and the vCenter Server Appliance.

    Windows

    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    

    vCenter Server Appliance

    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
    
  4. Replace the existing VMCA root CA.
    certool --rootca --cert=rootca1.crt --privkey=root1.key

    When you run this command, it:

    • Adds the new custom root certificate to the certificate location in the file system.

    • Appends the custom root certificate to the TRUSTED_ROOTS store in VECS (after a delay).

    • Adds the custom root certificate to vmdir (after a delay).

  5. (Optional) : To propagate the change to all instances of vmdir (VMware Directory Service), publish the new root certificate to vmdir, supplying the full file path for each file.

    For example:

    dir-cli trustedcert publish --cert rootca1.crt

    Replication between vmdir nodes happens every 30 seconds. You do not have to add the root certificate to VECS explicitly because VECS polls vmdir for new root certificate files every 5 minutes.

  6. (Optional) : If necessary, you can force a refresh of VECS.
    vecs-cli force-refresh
  7. Restart all services.
    service-control --start --all
    

Replacing the Root Certificate

Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\custom-certs\root.pem -–privkey=C:\custom-certs\root.key

When you run this command, it:

  • Adds the new custom root certificate to the certificate location in the file system.

  • Appends the custom root certificate to the TRUSTED_ROOTS store in VECS.

  • Adds the custom root certificate to vmdir.

What to do next

You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to replace the vCenter Single Sign-On Signing certificate. See Refresh the Security Token Service Certificate