You can use the vSphere Certificate Manager utility to make VMCA an Intermediate CA. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use vSphere Certificate Manager to replace all existing certificates with new VMCA-signed certificates.
To make VMCA an intermediate CA, you must run vSphere Certificate Manager several times. The high-level steps for replacing both machine SSL certificates and solution user certificates include:
- Launching the vSphere Certificate Manager utility.
- Generating a CSR by running Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates. You might have to provide some information about the certificate next. When prompted for an option again, select Option 1, Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate.
- Submitting the CSR to your external or enterprise CA. You receive a signed certificate and a root certificate from the CA.
- Combining the VMCA root certificate with the CA root certificate and saving the file.
- Replacing certificates by running Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates, and following the prompts. This process replaces all certificates on the local machine.
- (Optional) Replacing certificates on each node when multiple vCenter Server instances are connected in Enhanced Linked Mode configuration by:
- First replacing the machine SSL certificate with the (new) VMCA certificate (Option 3, Replace Machine SSL certificate with VMCA Certificate).
- Then replacing the solution user certificates with the (new) VMCA certificate (Option 6, Replace Solution user certificates with VMCA certificates).
Generate CSR Using the Certificate Manager and Prepare Root Certificate (Intermediate CA)
You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs). Submit those CSRs to your enterprise CA or to an external certificate authority for signing. You can use the signed certificates with the different supported certificate replacement processes.
- You can use vSphere Certificate Manager to create the CSR.
Note: In vSphere 8.0 and later, if you use the vSphere Certificate Manager to generate the CSR, the minimum key size is changed to 3072 bits from 2048. In vSphere 8.0 Update 1 and later, use the vSphere Client to generate a CSR with a key size of 2048 bits.Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 bits and 3072 bits.
- If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements.
- Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
- x509 version 3
- The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:
basicConstraints = critical,CA:true keyUsage = critical,digitalSignature,keyCertSign
- CRL signing must be enabled.
- Extended Key Usage can be either empty or contain Server Authentication.
- No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
- Certificates with wildcards or with more than one DNS name are not supported.
- You cannot create subsidiary CAs of VMCA.
See the VMware knowledge base article at https://kb.vmware.com/s/article/2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x, for an example using Microsoft Certificate Authority.
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type of certificate that you want to replace.
For any CSR generation, you are prompted for the password of the [email protected] user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
Procedure
What to do next
Replace the existing root certificate with the chained root certificate. See Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Using the Certificate Manager.
Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Using the Certificate Manager
You can use the vSphere Certificate Manager utility to generate a CSR and send the CSR to an enterprise or third-party CA for signing. You can then replace the VMCA root certificate with a custom signing certificate and replace all existing certificates with certificates that are signed by the custom CA.
You run vSphere Certificate Manager on vCenter Server to replace the VMCA root certificate with a custom signing certificate.
Prerequisites
- Generate the certificate chain.
- You can use vSphere Certificate Manager to create the CSR or create the CSR manually.
- After you receive the signed certificate from your third-party or enterprise CA, combine it with the initial VMCA root certificate to create the full chain.
See Generate CSR Using the Certificate Manager and Prepare Root Certificate (Intermediate CA) for certificate requirements and the process of combining the certificates.
- Gather the information that you need.
- Password for [email protected]
- Valid custom certificate for Root (.crt file)
- Valid custom key for Root (.key file)
Procedure
Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA) Using the Certificate Manager
When you use VMCA as an intermediate CA, you can replace the machine SSL certificate explicitly using the vSphere Certificate Manager utility. First you replace the VMCA root certificate on the vCenter Server, then you can replace the machine SSL certificate, which will be signed by the new root of the VMCA. You can also use this option to replace machine SSL certificates that are corrupt or about to expire.
When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere Certificate Manager prompts you for information and enters all values, except for the password and the IP address of the vCenter Server, into the certool.cfg file.
- Password for [email protected]
- Two-letter country code
- Company name
- Organization name
- Organization unit
- State
- Locality
- IP address (optional)
- Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
- IP address of vCenter Server
- VMCA name, that is, the fully qualified domain name of the machine on which the certificate configuration is running.
Prerequisites
- You must know the following information to run vSphere Certificate Manager with this option.
- Password for [email protected].
- The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.
- Host name or IP address of the vCenter Server system.
Procedure
Results
Replace Solution User Certificates with VMCA Certificates (Intermediate CA) Using the Certificate Manager
When you use VMCA as an intermediate CA, you can replace the solution user certificate explicitly using the vSphere Certificate Manager utility. First you replace the VMCA root certificate on the vCenter Server, then you can replace the solution user certificate, which will be signed by the new root of the VMCA. You can also use this option to replace solution certificates that are corrupt or about to expire.
Prerequisites
- Restart all vCenter Server nodes explicitly if you replaced the VMCA root certificate in a deployment consisting of multiple instances of vCenter Server in Enhanced Linked Mode configuration.
- You must know the following information to run vSphere Certificate Manager with this option.
- Password for [email protected]
- Host name or IP address of the vCenter Server system
