Many companies only require that you replace certificates of services that are accessible externally. However, Certificate Manager also supports replacing solution user certificates. Solution users are collections of services, for example, all services that are associated with the vSphere Client. In multi-node deployments replace the machine solution user certificate on the Platform Services Controller and the full set of solution users on each management node.
When you are prompted for a solution user certificate, provide the complete signing certificate chain of the third-party CA.
-----BEGIN CERTIFICATE----- Signing certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- CA intermediate certificates -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root certificate of enterprise or external CA -----END CERTIFICATE-----
Prerequisites
- To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
- Request a certificate for each solution user on each node from your third-party or enterprise CA. You can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet the following requirements:
- Key size: 2048 bits or more (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
-
Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.
- Contains the following Key Usages: Digital Signature, Key Encipherment
See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.
Procedure
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.
