After you replace the machine SSL certificates, you can replace the VMCA-signed solution user certificates with third-party or enterprise certificates.

Before you begin

  • Key size: 2048 bits or more (PEM encoded)

  • CRT format

  • x509 version 3

  • SubjectAltName must contain DNS Name=<machine_FQDN>

  • Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.

  • Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

About this task

Many VMware customers do not replace solution user certificates. They replace only the machine SSL certificates with custom certificates. This hybrid approach satisfies the requirements of their security teams.

  • Certificates either sit behind a proxy, or they are custom certificates.

  • No intermediate CAs are used.

Solution users use certificates only to authenticate to vCenter Single Sign-On. If the certificate is valid, vCenter Single Sign-On assigns a SAML token to the solution user, and the solution user uses the SAML token to authenticate to other vCenter components.

You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.

Note:

When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

Procedure

  1. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmca
    
  2. Find the name for each solution user.
    dir-cli service list 
    

    You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows.

    C:\Program Files\VMware\vCenter Server\vmafdd>dir-cli service list
    Enter password for administrator@vsphere.local:
    1. machine-1d364500-4b45-11e4-96c2-020011c98db3
    2. vpxd-1d364500-4b45-11e4-96c2-020011c98db3
    3. vpxd-extension-1d364500-4b45-11e4-96c2-020011c98db3
    4. vsphere-webclient-1d364500-4b45-11e4-96c2-020011c98db3

    When you list solution user certificates in multi-node deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

  3. For each solution user, replace the existing certificate in VECS and then in vmdir.

    You must add the certificates in that order.

    vecs-cli entry delete --store vpxd --alias vpxd
    vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv
    dir-cli service update --name <vpxd-xxxx-xxx-xxxxxx> --cert vpxd.crt
    
    Note:

    Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the certificate in vmdir.

  4. Restart all services.
    service-control --start --all