By default, the Auto Deploy server provisions each host with certificates that are signed by the VMware Certificate Authority (VMCA). You can set up the Auto Deploy server to provision all hosts with custom certificates that are not signed by VMCA. In that scenario, the Auto Deploy server becomes a subordinate certificate authority of your third-party certificate authority (CA).

Prerequisites

  • Request a certificate from your CA. The certificate must meet these requirements.
    • Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
    • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
    • x509 version 3
    • For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
    • SubjectAltName must contain DNS Name=<machine_FQDN>.
    • CRT format
    • Contains the following Key Usages: Digital Signature, Key Encipherment
    • Start time of one day before the current time.
    • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
    Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 and 3072. See Considerations When Using FIPS.
  • Name the certificate and the key files rbd-ca.crt and rbd-ca.key.

Procedure

  1. Back up the default ESXi certificates.
    The certificates are in the /etc/vmware-rbd/ssl/ directory.
  2. Stop the vSphere Authentication Proxy service.
    Tool Steps
    vCenter Server Management Interface
    1. In a Web browser, go to the vCenter Server Management Interface, https://vcenter-IP-address-or-FQDN:5480.
    2. Log in as root.

      The default root password is the password that you set while deploying the vCenter Server.

    3. Click Services, and click VMware vSphere Authentication Proxy.
    4. Click Stop.
    CLI 
    service-control --stop vmcam
  3. On the system where the Auto Deploy service runs, replace rbd-ca.crt and rbd-ca.key in /etc/vmware-rbd/ssl/ with your custom certificate and key files.
  4. On the system where the Auto Deploy service runs, run the following command to update the TRUSTED_ROOTS store inside the VMware Endpoint Certificate Store (VECS) to use your new certificates. 
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /etc/vmware-rbd/ssl/rbd-ca.crt
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
  5. Create a castore.pem file that contains what is in the TRUSTED_ROOTS store and place the file in the /etc/vmware-rbd/ssl/ directory.
    In custom mode, you are responsible for maintaining this file.
  6. Change the ESXi certificate mode for the vCenter Server system to custom.
    See Change the ESXi Certificate Mode.
  7. Restart the vCenter Server service and start the Auto Deploy service.

Results

The next time you provision a host that is set up to use Auto Deploy, the Auto Deploy server generates a certificate. The Auto Deploy server uses the root certificate that you added to the TRUSTED_ROOTS store.

Note: If you encounter problems with Auto Deploy after certificate replacement, see the VMware knowledge base article at https://kb.vmware.com/s/article/2000988.