By default, the Auto Deploy server provisions each host with certificates that are signed by VMCA. You can set up the Auto Deploy server to provision all hosts with custom certificates that are not signed by VMCA. In that scenario, the Auto Deploy server becomes a subordinate certificate authority of your third-party CA.
Before you begin
Request a certificate from your CA. The certificate must meet these requirements.
Key size: 2048 bits or more (PEM encoded)
PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
x509 version 3
For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Start time of one day before the current time
CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
Name the certificate and key files rbd-ca.crt and rbd-ca.key.
- Back up the default ESXi certificates.
The certificates are located at /etc/vmware-rbd/ssl/.
- From the vSphere Web Client, stop the Auto Deploy service.
- Select Administration, and click System Configuration under Deployment.
- Click Services.
- Right-click the service you want to stop and select Stop.
- On the system where the Auto Deploy service runs, replace rbd-ca.crt and rbd-ca.key in /etc/vmware-rbd/ssl/ with your custom certificate and key files.
- On the system where the Auto Deploy service runs, update the TRUSTED_ROOTS store in VECS to use your new certificates.
cd C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe vecs-cli entry delete --store TRUSTED_ROOTS --alias rbd_cert vecs-cli entry create --store TRUSTED_ROOTS --alias rbd_cert --cert /etc/vmware-rbd/ssl/rbd-ca.crt
cd /usr/lib/vmware-vmafd/bin/vecs-cli vecs-cli entry delete --store TRUSTED_ROOTS --alias rbd_cert vecs-cli entry create --store TRUSTED_ROOTS --alias rbd_cert --cert /etc/vmware-rbd/ssl/rbd-ca.crt
- Create a castore.pem file that contains what's in TRUSTED_ROOTS and place the file in the /etc/vmware-rbd/ssl/ directory.
In custom mode, you are responsible for maintaining this file.
- Change the ESXi certificate mode for the vCenter Server system to custom.
- Restart the vCenter Server service and start the Auto Deploy service.
The next time you provision a host that is set up to use Auto Deploy, the Auto Deploy server generates a certificate. The Auto Deploy server uses the root certificate that you just added to the TRUSTED_ROOTS store.
If you encounter problems with Auto Deploy after certificate replacement, see VMware Knowledgebase Article 2000988.