You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your certificate authority (CA). You can use Certificate Manager to generate the CSRs.

One option is to replace only the machine SSL certificate, and to use the solution user certificates that are provisioned by VMCA. Solution user certificates are used only for communication between vSphere components.

When you use custom certificates, you replace the VMCA-signed certificates with custom certificates. You can use the vSphere Client, the vSphere Certificate Manager utility, or CLIs for manual certificate replacement. Certificates are stored in VECS.

To replace all certificates with custom certificates, you must run the vSphere Certificate Manager utility several times. The high-level steps for replacing both machine SSL certificates and solution user certificates include:

  1. Launching the vSphere Certificate Manager utility.
  2. Generating certificate signing requests for the machine SSL certificate and the solution user certificates separately on each machine.
    1. To generate CSRs for the machine SSL certificate, select Option 1, Replace Machine SSL certificate with Custom Certificate. When prompted for an option again, select Option 1, Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.
    2. If company policy does not allow a hybrid deployment, select Option 5, Replace Solution user certificates with Custom Certificate.
  3. Submitting the CSR to your external or enterprise CA. You receive a signed certificate and a root certificate from the CA.
  4. After receiving the signed certificates and the root certificate from your CA, replacing the machine SSL certificate on each machine by using Option 1, Replace Machine SSL certificate with Custom Certificate.
  5. If you also want to replace the solution user certificates, select Option 5, Replace Solution user certificates with Custom Certificate.
  6. Finally, when multiple vCenter Server instances are connected in Enhanced Linked Mode configuration, repeating the process on each node.

Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates)

You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs) that you can then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the different supported certificate replacement processes.

Prerequisites

vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type of certificate you want to replace.

  • For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
  • You are prompted for the host name or IP address of the vCenter Server.
  • To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.
    Note: In vSphere 8.0 and later, if you use the vSphere Certificate Manager to generate the CSR, the minimum key size is changed to 3072 bits from 2048. In vSphere 8.0 Update 1 and later, use the vSphere Client to generate a CSR with a key size of 2048 bits.
    Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 bits and 3072 bits.

Procedure

  1. Log in to each vCenter Server (the vCenter Server shell) in your environment and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Selection Option 1, Replace Machine SSL certificate with Custom Certificate.
  3. Enter the administrator user and password.
  4. Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate, to generate the CSR, answer the prompts and exit vSphere Certificate Manager.
    As part of the process, you have to provide a directory. vSphere Certificate Manager places the certificate and key files in the directory.
  5. If you also want to replace all solution user certificates, restart vSphere Certificate Manager and selection Option 5, Replace Solution user certificates with Custom Certificate.
  6. Supply the password and the vCenter Server IP address or host name if prompted.
  7. Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Solution User Certificates, to generate the CSRs, answer the prompts and exit vSphere Certificate Manager.
    As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory.

What to do next

To perform certificate replacement, see Replace Machine SSL Certificate with Custom Certificate Using the Certificate Manager.

Replace Machine SSL Certificate with Custom Certificate Using the Certificate Manager

You can use the vSphere Certificate Manager utility to replace the machine SSL certificate on each node with a custom certificate. The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services.

Prerequisites

Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.

  1. To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates).
  2. To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:
    • Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
    • CRT format
    • x509 version 3
    • SubjectAltName must contain DNS Name=<machine_FQDN>.
    • Contains the following Key Usages: Digital Signature, Key Encipherment

See also the VMware knowledge base article at https://kb.vmware.com/s/article/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.

Procedure

  1. Log in to vCenter Server and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Selection Option 1, Replace Machine SSL certificate with Custom Certificate.
  3. Enter the administrator user and password.
  4. Select Option 2, Import custom certificate(s) and key(s) to replace existing Machine SSL certificate, to start certificate replacement and respond to the prompts.
    vSphere Certificate Manager prompts you for the following information:
    • Password for administrator@vsphere.local
    • Valid Machine SSL custom certificate (.crt file)
    • Valid Machine SSL custom key (.key file)
    • Valid signing certificate for the custom machine SSL certificate (.crt file)
    • IP address of the vCenter Server

Replace Solution User Certificates with Custom Certificates Using the Certificate Manager

Many companies only require that you replace certificates of services that are accessible externally. However, the vSphere Certificate Manager utility also supports replacing solution user certificates. Solution users are collections of services, for example, all services that are associated with the vSphere Client.

When you are prompted for a solution user certificate, provide the complete signing certificate chain of the third-party CA.

The format looks similar to the following.
-----BEGIN CERTIFICATE-----
Signing certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA intermediate certificates
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root certificate of enterprise or external CA
-----END CERTIFICATE-----

Prerequisites

Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.

  1. To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates).
  2. Request a certificate for each solution user on each node from your third-party or enterprise CA. You can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet the following requirements:
    • Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
    • CRT format
    • x509 version 3
    • SubjectAltName must contain DNS Name=<machine_FQDN>.
    • Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.

    • Contains the following Key Usages: Digital Signature, Key Encipherment

See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.

Procedure

  1. Log in to vCenter Server and start the vSphere Certificate Manager.
    /usr/lib/vmware-vmca/bin/certificate-manager
  2. Select Option 5, Replace Solution user certificates with Custom Certificate.
  3. Enter the SSO user and password.
  4. Select Option 2, Import custom certificate(s) and key(s) to replace existing Solution User Certificates, and respond to the prompts.
    vSphere Certificate Manager prompts you for the following information:
    • Password for administrator@vsphere.local
    • Certificate and key for machine solution user
    • The certificate and key (vpxd.crt and vpxd.key) for the machine solution user
    • The full set of certificates and keys (vpxd.crt and vpxd.key) for all solution users