After you generate a new VMCA-signed root certificate, you can replace all machine SSL certificates in your environment.

Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node. Use the --server parameter to point to the Platform Services Controller from a vCenter Server with external Platform Services Controller.

Prerequisites

Be prepared to stop all services and to start the services that handle certificate propagation and storage.

Procedure

  1. Make one copy of certool.cfg for each machine that needs a new certificate.
    You can find certool.cfg in the following locations:
    OS Path
    Windows C:\Program Files\VMware\vCenter Server\vmcad
    Linux /usr/lib/vmware-vmca/share/config/
  2. Edit the custom configuration file for each machine to include that machine's FDQN.
    Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
  3. Generate a public/private key file pair and a certificate for each file, passing in the configuration file that you just customized.
    For example:
    certool --genkey --privkey=machine1.priv --pubkey=machine1.pub
    certool --gencert --privkey=machine1.priv --cert machine1.crt --Name=Machine1_Cert --config machine1.cfg
  4. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    Note: If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
    Windows
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
    
  5. Add the new certificate to VECS.
    All machines need the new certificate in the local certificate store to communicate over SSL. You first delete the existing entry, then add the new entry.
    vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT  
    vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine1.crt
     --key machine1.priv
  6. Restart all services.
    service-control --start --all
    

Example: Replacing Machine Certificates With VMCA-Signed Certificates

  1. Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory.
    Country = US
    Name = vmca-<PSC-FQDN-example>
    Organization = <my_company>
    OrgUnit = <my_company Engineering>
    State = <my_state> 
    Locality = <mytown>
    Hostname = <FQDN>
  2. Generate a key pair for the machine SSL certificate. Run this command on each management node and Platform Services Controller node; it does not require a --server option.
    C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=ssl-key.priv --pubkey=ssl-key.pub
    

    The ssl-key.priv and ssl-key.pub files are created in the current directory.

  3. Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
    • On a Platform Services Controller node or embedded installation:
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg
    • On a vCenter Server (external installation):
      C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg --server=<psc-ip-or-fqdn>

    The new-vmca-ssl.crt file is created in the current directory.

  4. (Optional) List the content of VECS.
    "C:\Program Files\VMware\vCenter Server\vmafdd\" vecs-cli store list
    • Sample output on Platform Services Controller:
      MACHINE_SSL_CERT
      TRUSTED_ROOTS
      TRUSTED_ROOT_CRLS
      machine
    • Sample output on vCenter Server:
      output (on vCenter):
      MACHINE_SSL_CERT
      TRUSTED_ROOTS
      TRUSTED_ROOT_CRLS
      machine
      vpxd
      vpxd-extension
      vsphere-webclient
      sms
  5. Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
    • On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store.
      C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
      C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
      
    • On each management node or embedded deployment, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN.
      C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
      C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
      

What to do next

You can also replace the certificates for your ESXi hosts. See the vSphere Security publication.

After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter Server with external Platform Services Controller nodes.