Replacing vSphere 6 Solution user certificates with CA signed certificates


In our last post Replacing Esxi 6 SSL Certificates we learned how to replace Esxi host default certificates with CA signed certificates. In this post we will learn how to replace vSphere 6 solution user certificates with customer certificates signed by CA.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

6: Replacing Esxi 6 SSL Certificates

Solution Users use SSL Certificates for internal communication and endpoint registration in vSphere 6. For vCenter with embedded PSC, there are four Solution User Certificates:

  • machine
  • vpxd
  • vpxd-extension
  • vsphere-webclient

We will be replacing certificates for all the solution user in this post.

Follow below steps to replace the solution user certificates:

1: Creating Certificate Signing Request

Launch the certificate manager utility

Press 5 to select “Replace solution user certificates with custom certificates”

Provide password of SSO account

Select option 1 “Generate Certificate signing Request(s) and key(s) for solution user certificates”

sol-1

Provide path to directory where you want to store the .csr files

sol-2.PNG

You will see following files created in the provided directory

sol-3

4: Get the signed certs from your CA server

Copy machine.csr, vpxd.csr,vpxd-extension.csr and vpshere-webclient.csr files to your CA server and repeat following steps foe each csr file

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Select  vSphere6 when selecting the Certificate Template and hit Submit to submit the request. For certificates templates please follow VMware KB-2112009
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

Save the files as machine.cer, vpxd.cer,vpxd-extension.cer and vpshere-webclient.cer respectively.

At last download the CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”.

Click on Download CA certificate and save the downloaded file as Root64.cer.

Copy all the 5 files back to your vCenter Server.

5: Replace the certificates

Launch certificate manager again and select option 5 and then Option 2 (Import Custom certificate(s) and key(s) for Solution User Certificates).

sol-4.PNG

Provide path to the generated .cer files and respective key files to complete the certificate replacement process

sol-5

Thats it. We have now successfully replaced the defaults certs for solution users with CA signed certificate.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

 

 

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Vmware. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s