Many companies only require that you replace certificates of services that are accessible externally. However, Certificate Manager also supports replacing solution user certificates. Solution users are collections of services, for example, all services that are associated with the vSphere Client.
When you are prompted for a solution user certificate, provide the complete signing certificate chain of the third-party CA.
-----BEGIN CERTIFICATE----- Signing certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- CA intermediate certificates -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root certificate of enterprise or external CA -----END CERTIFICATE-----
Prerequisites
Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.
- To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
- Request a certificate for each solution user on each node from your third-party or enterprise CA. You can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet the following requirements:
- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
-
Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.
- Contains the following Key Usages: Digital Signature, Key Encipherment
See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.
