After you generate a new VMCA-signed root certificate, you can replace all machine SSL certificates in your environment.
Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node. Use the --server parameter to point to the Platform Services Controller from a vCenter Server with external Platform Services Controller.
Prerequisites
Be prepared to stop all services and to start the services that handle certificate propagation and storage.
Procedure
Example: Replacing Machine Certificates With VMCA-Signed Certificates
- Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory.
Country = US Name = vmca-<PSC-FQDN-example> Organization = <my_company> OrgUnit = <my_company Engineering> State = <my_state> Locality = <mytown> Hostname = <FQDN>
- Generate a key pair for the machine SSL certificate. Run this command on each management node and Platform Services Controller node; it does not require a --server option.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=ssl-key.priv --pubkey=ssl-key.pub
The ssl-key.priv and ssl-key.pub files are created in the current directory.
- Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
- On a Platform Services Controller node or embedded installation:
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg
- On a vCenter Server (external installation):
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg --server=<psc-ip-or-fqdn>
The new-vmca-ssl.crt file is created in the current directory.
- On a Platform Services Controller node or embedded installation:
- (Optional) List the content of VECS.
"C:\Program Files\VMware\vCenter Server\vmafdd\" vecs-cli store list
- Sample output on Platform Services Controller:
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine
- Sample output on vCenter Server:
output (on vCenter): MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient sms
- Sample output on Platform Services Controller:
- Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
- On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store.
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
- On each management node or embedded deployment, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN.
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
- On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store.
What to do next
You can also replace the certificates for your ESXi hosts. See the vSphere Security publication.
After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter Server with external Platform Services Controller nodes.