Using custom certificates with vSphere Authentication Proxy consists of several steps. First you generate a CSR and send it to your CA for signing. Then you place the signed certificate and key file in a location that vSphere Authentication Proxy can access.

By default, vSphere Authentication Proxy generates a CSR during first boot and asks VMCA to sign that CSR. vSphere Authentication Proxy registers with vCenter Server using that certificate. You can use custom certificates in your environment, if you add those certificates to vCenter Server.

Procedure

  1. Generate a CSR for vSphere Authentication Proxy.
    1. Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example.
      [ req ]
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      [ v3_req ]
      basicConstraints = CA:false
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName = DNS:dns.static-1.csl.vmware.com
      [ req_distinguished_name ]
      countryName = IE
      stateOrProvinceName = Cork
      localityName = Cork
      0.organizationName = VMware
      organizationalUnitName = vTSU
      commonName = test-cam-1.test1.vmware.com
    2. Run openssl to generate a CSR file and a key file, passing in the configuration file.
      openssl req -new -nodes -out vmcam.csr -newkey rsa:2048 -keyout /var/lib/vmware/vmcam/ssl/rui.key -config /var/lib/vmware/vmcam/ssl/vmcam.cfg
  2. Back up the rui.crt certificate and rui.key files, which are stored in the following location.
    OS Location
    vCenter Server Appliance /var/lib/vmware/vmcam/ssl/rui.crt
    vCenter Server Windows C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt
  3. Unregister vSphere Authentication Proxy.
    1. Go to the directory where the camregister script is located.
      OS Commands
      vCenter Server Appliance /usr/lib/vmware-vmcam/bin
      vCenter Server Windows C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.crt
    2. Run the following command.
      camregister --unregister -a VC_address -u user
      
      user must be a vCenter Single Sign-On user that has administrator permissions on vCenter Server.
  4. Stop the vSphere Authentication Proxy service.
    Tool Steps
    vSphere Web Client
    1. Click Administration, and click System Configuration under Deployment.
    2. Click Services, click the VMware vSphere Authentication Proxy service, and stop the service.
    CLI
    service-control --stop vmcam
    
  5. Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA.
  6. Restart the vSphere Authentication Proxy service.
  7. Reregister vSphere Authentication Proxy explicitly with vCenter Server by using the new certificate and key.
    camregister --register -a VC_address -u user -c full_path_to_rui.crt -k full_path_to_rui.key