You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your certificate authority (CA). You can use Certificate Manager to generate the CSRs.
One option is to replace only the machine SSL certificate, and to use the solution user certificates that are provisioned by VMCA. Solution user certificates are used only for communication between vSphere components.
When you use custom certificates, you replace the VMCA-signed certificates with custom certificates. You can use the vSphere Client, the vSphere Certificate Manager utility, or CLIs for manual certificate replacement. Certificates are stored in VECS.
To replace all certificates with custom certificates, you must run the vSphere Certificate Manager utility several times. The high-level steps for replacing both machine SSL certificates and solution user certificates include:
- Launching the vSphere Certificate Manager utility.
- Generating certificate signing requests for the machine SSL certificate and the solution user certificates separately on each machine.
- To generate CSRs for the machine SSL certificate, select Option 1, Replace Machine SSL certificate with Custom Certificate. When prompted for an option again, select Option 1, Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.
- If company policy does not allow a hybrid deployment, select Option 5, Replace Solution user certificates with Custom Certificate.
- Submitting the CSR to your external or enterprise CA. You receive a signed certificate and a root certificate from the CA.
- After receiving the signed certificates and the root certificate from your CA, replacing the machine SSL certificate on each machine by using Option 1, Replace Machine SSL certificate with Custom Certificate.
- If you also want to replace the solution user certificates, select Option 5, Replace Solution user certificates with Custom Certificate.
- Finally, when multiple vCenter Server instances are connected in Enhanced Linked Mode configuration, repeating the process on each node.
Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates)
You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs) that you can then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the different supported certificate replacement processes.
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type of certificate you want to replace.
- For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
- You are prompted for the host name or IP address of the vCenter Server.
- To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.
Note: In vSphere 8.0 and later, if you use the vSphere Certificate Manager to generate the CSR, the minimum key size is changed to 3072 bits from 2048. In vSphere 8.0 Update 1 and later, use the vSphere Client to generate a CSR with a key size of 2048 bits.Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 bits and 3072 bits.
Procedure
What to do next
To perform certificate replacement, see Replace Machine SSL Certificate with Custom Certificate Using the Certificate Manager.
Replace Machine SSL Certificate with Custom Certificate Using the Certificate Manager
You can use the vSphere Certificate Manager utility to replace the machine SSL certificate on each node with a custom certificate. The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services.
Prerequisites
Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.
- To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates).
- To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:
- Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Key Encipherment
See also the VMware knowledge base article at https://kb.vmware.com/s/article/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.
Procedure
Replace Solution User Certificates with Custom Certificates Using the Certificate Manager
Many companies only require that you replace certificates of services that are accessible externally. However, the vSphere Certificate Manager utility also supports replacing solution user certificates. Solution users are collections of services, for example, all services that are associated with the vSphere Client.
When you are prompted for a solution user certificate, provide the complete signing certificate chain of the third-party CA.
-----BEGIN CERTIFICATE----- Signing certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- CA intermediate certificates -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root certificate of enterprise or external CA -----END CERTIFICATE-----
Prerequisites
Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.
- To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates).
- Request a certificate for each solution user on each node from your third-party or enterprise CA. You can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet the following requirements:
- Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
-
Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.
- Contains the following Key Usages: Digital Signature, Key Encipherment
See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.