Recently I have done some projects where replacing default vSphere certificates with CA signed SSL was required. I think some of you remember how managing certificates were hard in prior vSphere releases (especially 5.0/5.1). Fortunately since version 6.0 replacing SSL certificates with custom is easy and straightforward. There are two main options:
- The VMCA as a Subordinate (or Intermediate) Certificate Authority which is the easiest to manage but least secure
- The manual replacement which is the most difficult to manage, however most secure.
and one more - the hybrid mode where Web Client certificate is replaced by 3rd authority manually but ESXi hosts, solution certificates by VMCA automatically.
VMCA as a Subordinate
This option is really cool. We have just to create a special template, create a CSR and sign by Root. Then replace on VMCA. The rest certificates will be replaced/renew almost automatically. It works pretty well if your template is prepared properly. Please follow the below link to prepare such template:
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x
The manual replacement
Unfortunately, this method is the most popular, at least I have done it very often. All vSphere certificates are replaced manually.
Possible issues
There are some issues with replacing of SSL on vSphere 6.x (6.0 and 6.5 as well):
- When VMCA is a Subordinate, please make sure that you don't use the Certificate Manager to prepare a request (CSR) as probably you will face the below issue (the CSR created for the VMCA does not include the required attributes):
Error Message : Not a CA Cert
- Problem with configuring of HA (e.g. vSphere HA cannot be configured on this host because its SSL thumbprint has not been verified). Just disconnect the host that has custom SSL certificates installed and connect it again.
- Problem with adding of ESXi hosts to vCenter after replacing SSL - please follow below tips.
Some tips
- When you replace SSL certificates the first time, you should consider changing the parameter vpxd.certmgmt.certs.minutesBefore (available since 6.0 U2):
When adding a host to VMware vCenter Server, the VMware Certificate Authority predates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues. - Make sure that you have a snapshot of vCenter. If replacement fails (e.g. I couldn't find any reason in logs), sometimes just reverting to snapshot and trying again may help.
- Make sure that you added all required Root/Intermediate certs to PSC via GUI or shell.
Add a Trusted Root Certificate to the Certificate Store - If you have a big environment and SSL replacement is needed, please consider using the Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center. This tool helps to prepare CSRs not only for vSphere certificates but also NSX, SRM or Log Insight where there are different certificate formats required.
- Read where vSphere uses certificates. A good info here.
Additional useful links:
Certificate Management Overview
How to use vSphere 6.x Certificate Manager
How to replace vSphere 6.x certificates
VMware Certificate Authority overview and using VMCA Root Certificates in a browser
New Product Walkthrough – Hybrid vSphere SSL Certificate Replacement