Using custom certificates with vSphere Authentication Proxy consists of several steps. First you generate a CSR and send it to your CA for signing. Then you place the signed certificate and key file in a location that vSphere Authentication Proxy can access.
By default, vSphere Authentication Proxy generates a CSR during first boot and asks VMCA to sign that CSR. vSphere Authentication Proxy registers with vCenter Server using that certificate. You can use custom certificates in your environment, if you add those certificates to vCenter Server.
Procedure
- Generate a CSR for vSphere Authentication Proxy.
- Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example.
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:dns.static-1.csl.vmware.com
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = Cork
localityName = Cork
0.organizationName = VMware
organizationalUnitName = vTSU
commonName = test-cam-1.test1.vmware.com
- Run openssl to generate a CSR file and a key file, passing in the configuration file.
openssl req -new -nodes -out vmcam.csr -newkey rsa:2048 -keyout /var/lib/vmware/vmcam/ssl/rui.key -config /var/lib/vmware/vmcam/ssl/vmcam.cfg
- Back up the rui.crt certificate and rui.key files, which are stored in the following location.
OS |
Location |
vCenter Server Appliance |
/var/lib/vmware/vmcam/ssl/rui.crt |
vCenter Server Windows |
C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt |
- Unregister vSphere Authentication Proxy.
- Go to the directory where the camregister script is located.
OS |
Commands |
vCenter Server Appliance |
/usr/lib/vmware-vmcam/bin |
vCenter Server Windows |
C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt |
- Run the following command.
camregister --unregister -a VC_address -u user
user must be a vCenter Single Sign-On user that has administrator permissions on
vCenter Server.
- Stop the vSphere Authentication Proxy service.
Tool |
Steps |
vSphere Web Client |
- Click Administration, and click System Configuration under Deployment.
- Click Services, click the VMware vSphere Authentication Proxy service, and stop the service.
|
CLI |
service-control --stop vmcam
|
- Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA.
- Restart the vSphere Authentication Proxy service.
- Reregister vSphere Authentication Proxy explicitly with vCenter Server by using the new certificate and key.
camregister --register -a VC_address -u user -c full_path_to_rui.crt -k full_path_to_rui.key