Using custom certificates with vSphere Authentication Proxy consists of several steps. First you generate a CSR and send it to your CA for signing. Then you place the signed certificate and key file in a location that vSphere Authentication Proxy can access.
By default, vSphere Authentication Proxy generates a CSR during first boot and asks VMCA to sign that CSR. vSphere Authentication Proxy registers with vCenter Server using that certificate. You can use custom certificates in your environment, if you add those certificates to vCenter Server.
Procedure
- Generate a CSR for vSphere Authentication Proxy.
- Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example.
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:vcenter1.example.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = Example Inc.
organizationalUnitName = IT Org
commonName = vcenter1.example.com
Note the following:
- subjectAltName: Use the format DNS:FQDN_of_vCenter_Appliance_to_use_the_CA-signed certificate.
- commonName: Use the same FQDN of the vCenter Appliance used in subjectAltName.
- Run openssl to generate a CSR file and a key file, passing in the configuration file.
openssl req -new -nodes -out vmcam.csr -newkey rsa:2048 -keyout /var/lib/vmware/vmcam/ssl/rui.key -config /var/lib/vmware/vmcam/ssl/vmcam.cfg
- Back up the rui.crt certificate and rui.key files, which are stored in the following location.
/var/lib/vmware/vmcam/ssl/rui.crt
- Unregister vSphere Authentication Proxy.
- Go to the /usr/lib/vmware-vmcam/bin directory where the camregister script is located.
- Run the following command.
camregister --unregister -a VC_address -u user
user must be a vCenter Single Sign-On user that has administrator permissions on
vCenter Server.
- Stop the vSphere Authentication Proxy service.
Tool |
Steps |
vCenter Server Configuration Management Interface |
- In a Web browser, go to the vCenter Server Configuration Management Interface, https://vcenter-IP-address-or-FQDN:5480.
- Log in as root.
The default root password is the password that you set while deploying the vCenter Server.
- Click Services, and click the VMware vSphere Authentication Proxy service.
- Click Stop.
|
CLI |
service-control --stop vmcam
|
- Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA.
- Restart the vSphere Authentication Proxy service.
- Reregister vSphere Authentication Proxy explicitly with vCenter Server by using the new certificate and key.
camregister --register -a VC_address -u user -c full_path_to_rui.crt -k full_path_to_rui.key