You can use the vSphere Certificate Manager utility to make VMCA an Intermediate CA. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use vSphere Certificate Manager to replace all existing certificates with new VMCA-signed certificates.

VMware does not recommend operating VMCA as a subordinate (or intermediate) certificate authority. If you choose this option, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at http://vmware.com/go/hybridvmca.

To make VMCA an intermediate CA, you must run vSphere Certificate Manager several times. The high-level steps for replacing both machine SSL certificates and solution user certificates include:

  1. Launching the vSphere Certificate Manager utility.
  2. Generating a CSR by running Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates. You might have to provide some information about the certificate next. When prompted for an option again, select Option 1, Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate.
  3. Submitting the CSR to your external or enterprise CA. You receive a signed certificate and a root certificate from the CA.
  4. Combining the VMCA root certificate with the CA root certificate and saving the file.
  5. Replacing certificates by running Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates, and following the prompts. This process replaces all certificates on the local machine.
  6. (Optional) Replacing certificates on each node when multiple vCenter Server instances are connected in Enhanced Linked Mode configuration by:
    1. First replacing the machine SSL certificate with the (new) VMCA certificate (Option 3, Replace Machine SSL certificate with VMCA Certificate).
    2. Then replacing the solution user certificates with the (new) VMCA certificate (Option 6, Replace Solution user certificates with VMCA certificates).

Generate CSR Using the Certificate Manager and Prepare Root Certificate (Intermediate CA)

You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs). Submit those CSRs to your enterprise CA or to an external certificate authority for signing. You can use the signed certificates with the different supported certificate replacement processes.

  • You can use vSphere Certificate Manager to create the CSR.
    Note: In vSphere 8.0 and later, if you use the vSphere Certificate Manager to generate the CSR, the minimum key size is changed to 3072 bits from 2048. In vSphere 8.0 Update 1, use the vSphere Client to generate a CSR with a key size of 2048 bits.
    Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 bits and 3072 bits.
  • If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements.
    • Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded). As of vSphere 8.0 Update 2b, the maximum key size supported is 8192 bits.
    • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
    • x509 version 3
    • The CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. For example:
      basicConstraints        = critical,CA:true
      keyUsage                = critical,digitalSignature,keyCertSign
    • CRL signing must be enabled.
    • Extended Key Usage can be either empty or contain Server Authentication.
    • No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
    • Certificates with wildcards or with more than one DNS name are not supported.
    • You cannot create subsidiary CAs of VMCA.

      See the VMware knowledge base article at http://kb.vmware.com/kb/2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x, for an example using Microsoft Certificate Authority.

Prerequisites

vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type of certificate that you want to replace.

For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.

Procedure

  1. Log in to the vCenter Server shell and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates.
    Initially, you use this option to generate the CSR, not to replace certificates.
  3. Enter the administrator user and password.
  4. Select Option 1, Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate, to generate the CSR and answer the prompts.
    As part of the process, you have to provide a directory. vSphere Certificate Manager places the certificate to be signed ( *.csr file) and the corresponding key file ( *.key file) in the directory.
  5. Name the certificate signing request (CSR) root_signing_cert.csr.
  6. Send the CSR to your enterprise or external CA for signing and name the resulting signed certificate root_signing_cert.cer.
  7. In a text editor, combine the certificates as follows.
    -----BEGIN CERTIFICATE-----
    Signed VMCA root certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    CA intermediate certificates
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    Root certificate of enterprise or external CA
    -----END CERTIFICATE-----
  8. Save the file as root_signing_chain.cer.

What to do next

Replace the existing root certificate with the chained root certificate. See Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Using the Certificate Manager.

Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Using the Certificate Manager

You can use the vSphere Certificate Manager utility to generate a CSR and send the CSR to an enterprise or third-party CA for signing. You can then replace the VMCA root certificate with a custom signing certificate and replace all existing certificates with certificates that are signed by the custom CA.

You run vSphere Certificate Manager on vCenter Server to replace the VMCA root certificate with a custom signing certificate.

Prerequisites

  • Generate the certificate chain.
  • Gather the information that you need.
    • Password for administrator@vsphere.local
    • Valid custom certificate for Root (.crt file)
    • Valid custom key for Root (.key file)

Procedure

  1. Log in to the vCenter Server shell and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates.
  3. Enter the administrator user and password.
  4. Select Option 2, Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate, and respond to the prompts.
    1. Specify the full path to the root certificate when prompted.
    2. If you are replacing certificates for the first time, you are prompted for information to be used for the machine SSL certificate.
      This information includes the required FQDN of the machine and is stored in the certool.cfg file.

Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA) Using the Certificate Manager

When you use VMCA as an intermediate CA, you can replace the machine SSL certificate explicitly using the vSphere Certificate Manager utility. First you replace the VMCA root certificate on the vCenter Server, then you can replace the machine SSL certificate, which will be signed by the new root of the VMCA. You can also use this option to replace machine SSL certificates that are corrupt or about to expire.

When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere Certificate Manager prompts you for information and enters all values, except for the password and the IP address of the vCenter Server, into the certool.cfg file.

  • Password for administrator@vsphere.local
  • Two-letter country code
  • Company name
  • Organization name
  • Organization unit
  • State
  • Locality
  • IP address (optional)
  • Email
  • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
  • IP address of vCenter Server
  • VMCA name, that is, the fully qualified domain name of the machine on which the certificate configuration is running.
Note: The OU (organizationalUnitName) field is no longer mandatory.

Prerequisites

  • You must know the following information to run vSphere Certificate Manager with this option.
    • Password for administrator@vsphere.local.
    • The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.
    • Host name or IP address of the vCenter Server system.

Procedure

  1. Log in to the vCenter Server shell and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Select Option 3, Replace Machine SSL certificate with VMCA Certificate.
  3. Enter the administrator user and password.
  4. Respond to the prompts.
    vSphere Certificate Manager stores the information in the certool.cfg file.

Results

vSphere Certificate Manager replaces the machine SSL certificate.

Replace Solution User Certificates with VMCA Certificates (Intermediate CA) Using the Certificate Manager

When you use VMCA as an intermediate CA, you can replace the solution user certificate explicitly using the vSphere Certificate Manager utility. First you replace the VMCA root certificate on the vCenter Server, then you can replace the solution user certificate, which will be signed by the new root of the VMCA. You can also use this option to replace solution certificates that are corrupt or about to expire.

Prerequisites

  • Restart all vCenter Server nodes explicitly if you replaced the VMCA root certificate in a deployment consisting of multiple instances of vCenter Server in Enhanced Linked Mode configuration.
  • You must know the following information to run vSphere Certificate Manager with this option.
    • Password for administrator@vsphere.local
    • Host name or IP address of the vCenter Server system

Procedure

  1. Log in to the vCenter Server shell and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Select option 6, Replace Solution user certificates with VMCA certificates.
  3. Enter the administrator user and password.
  4. Respond to the prompts.
    See the VMware knowledge base article at http://kb.vmware.com/kb/2112281 for more information.

Results

vSphere Certificate Manager replaces all solution user certificates.