After you generate a new VMCA-signed root certificate, you can replace all machine SSL certificates in your environment.

Each machine must have a machine SSL certificate for secure communication with other services. When multiple vCenter Server instances are connected in Enhanced Linked Mode configuration, you must run the Machine SSL certificate generation commands on each node.

Prerequisites

Be prepared to stop all services and to start the services that handle certificate propagation and storage.

Procedure

  1. Make one copy of certool.cfg for each machine that needs a new certificate.
    You can find the certool.cfg file in the /usr/lib/vmware-vmca/share/config/ directory.
  2. Edit the custom configuration file for each machine to include that machine's FQDN.
    Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
  3. Generate a public/private key file pair and a certificate for each file, passing in the configuration file that you just customized.
    For example:
    certool --genkey --privkey=machine1.priv --pubkey=machine1.pub
    certool --gencert --privkey=machine1.priv --cert machine1.crt --Name=Machine1_Cert --config machine1.cfg
  4. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
    
  5. Add the new certificate to VECS.
    All machines need the new certificate in the local certificate store to communicate over SSL. You first delete the existing entry, then add the new entry.
    vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT  
    vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine1.crt --key machine1.priv
  6. Restart all services.
    service-control --start --all

Example: Replacing Machine Certificates with VMCA-Signed Certificates

  1. Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory.
    Country = US
    Name = vmca-<FQDN-example>
    Organization = <my_company>
    OrgUnit = <my_company Engineering>
    State = <my_state> 
    Locality = <mytown>
    Hostname = <FQDN>
  2. Generate a key pair for the machine SSL certificate. In a deployment of multiple vCenter Server instances connected in Enhanced Linked Mode configuration, run this command on each vCenter Server node.
    /usr/lib/vmware-vmca/bin/certool --genkey --privkey=ssl-key.priv --pubkey=ssl-key.pub
    

    The ssl-key.priv and ssl-key.pub files are created in the current directory.

  3. Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
    /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg

    The new-vmca-ssl.crt file is created in the current directory.

  4. (Optional) List the content of VECS.
    /usr/lib/vmware-vmafd/bin/vecs-cli store list
    • Sample output on vCenter Server:
      output (on vCenter):
      MACHINE_SSL_CERT
      TRUSTED_ROOTS
      TRUSTED_ROOT_CRLS
      machine
      vsphere-webclient
      vpxd
      vpxd-extension
      hvc
      data-encipherment
      APPLMGMT_PASSWORD
      SMS
      wcp
      KMS_ENCRYPTION
  5. Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
    • On each vCenter Server, run the following commands to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
      

What to do next

You can also replace the certificates for your ESXi hosts. See the vSphere Security publication.