After you generate a new VMCA-signed root certificate, you can replace all machine SSL certificates in your environment.

Each machine must have a machine SSL certificate for secure communication with other services. When multiple vCenter Server instances are connected in Enhanced Linked Mode configuration, you must run the Machine SSL certificate generation commands on each node.

Prerequisites

Be prepared to stop all services and to start the services that handle certificate propagation and storage.

Procedure

  1. Make one copy of certool.cfg for each machine that needs a new certificate.
    You can find the certool.cfg file in the /usr/lib/vmware-vmca/share/config/ directory.
  2. Edit the custom configuration file for each machine to include that machine's FQDN.
    Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
  3. Generate a public/private key file pair and a certificate for each file, passing in the configuration file that you just customized.
    For example: 
    certool --genkey --privkey=machine1.priv --pubkey=machine1.pub
certool --gencert --privkey=machine1.priv --cert machine1.crt --Name=Machine1_Cert --config machine1.cfg
  4. Stop all services and start the services that handle certificate creation, propagation, and storage. 
    service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
  5. Add the new certificate to VECS.
    All machines need the new certificate in the local certificate store to communicate over SSL. You first delete the existing entry, then add the new entry. 
    vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT  
vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine1.crt --key machine1.priv
  6. Restart all services. 
    service-control --start --all

Example: Replacing Machine Certificates with VMCA-Signed Certificates

  1. Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory. 
    Country = US
Name = vmca-<FQDN-example>
Organization = <my_company>
OrgUnit = <my_company Engineering>
State = <my_state> 
Locality = <mytown>
Hostname = <FQDN>
  2. Generate a key pair for the machine SSL certificate. In a deployment of multiple vCenter Server instances connected in Enhanced Linked Mode configuration, run this command on each vCenter Server node. 
    /usr/lib/vmware-vmca/bin/certool --genkey --privkey=ssl-key.priv --pubkey=ssl-key.pub

    The ssl-key.priv and ssl-key.pub files are created in the current directory.

  3. Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain. 
    /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg

    The new-vmca-ssl.crt file is created in the current directory.

  4. (Optional) List the content of VECS. 
    /usr/lib/vmware-vmafd/bin/vecs-cli store list
    • Sample output on vCenter Server: 
      output (on vCenter):
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
hvc
data-encipherment
APPLMGMT_PASSWORD
SMS
wcp
KMS_ENCRYPTION
  5. Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
    • On each vCenter Server, run the following commands to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN. 
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv

What to do next

You can also replace the certificates for your ESXi hosts. See the vSphere Security publication.