Configure vmware 3rd party certs.

Friday, May 22, 2020 » ssl, vmware

How to configure 3rd party certs on the VMWare Server Appliance.

1. SSH to VCSA as root and create a directory in the home folder.

   mkdir ~/certs
   
   # run the following.
   /usr/lib/vmware-vmca/bin/certificate-manager
   

2. Select option 1 “Replace Machine SSL certificate with Custom Certificate” and enter the admin account/password.

3. On the next menu select option 1 “Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. If this is the first time generating the CSR select Yes when it asks if you want to reconfigure.

   • Enter proper value for ‘Country’: Country where cert will be issued
   • Enter proper value for ‘Name’: the fqdn of your vcenter server appliance
   • Enter proper value for ‘Organization’: Organization for the certificate
   • Enter proper value for ‘OrgUnit’: Organization Unit
   • Enter proper value for ‘State’: State where the cert is issued
   • Enter proper value for ‘Locality’: city or whatnot
   • Enter proper value for ‘IPAddress’: ip address(s) for appliance
   • Enter proper value for ‘Email’: email address for cert
   • Enter proper value for ‘Hostname’: fqdn of the server
   • Enter proper value for VMCA ‘Name’: can just use fqdn here

   Once complete, this will generate two files (vmca_issued_csr.csr and vmca_issued_key.key).

4. Use the CSR generated in the prvious step to obtain a 3rd party certificate.

5. Run /usr/lib/vmware-vmca/bin/certificate-manager from the vcsa and select option 1 "Replace Machine SSL certificate with Custom Certificate.”

6. Select option 2 “Import custom certificate(s) to replace existing Machine SSL certificate.

   • The first prompt will ask you for a valid custome machine SSL Cert. This will start with the signed certificate and include any intermedate certificates with the Root at the end. Please provide valid custom certificate for Machine SSL.

     -----BEGIN CERTIFICATE-----
     Signed VMCA root certificate
     -----END CERTIFICATE-----
     -----BEGIN CERTIFICATE-----
     CA intermediate certificates
     -----END CERTIFICATE-----
     -----BEGIN CERTIFICATE-----
     Root certificate of enterprise or external CA
     -----END CERTIFICATE-----
     

   • The next prompt will ask you for the custom key. This is the key that was generated in step three. Please provide valid custom certificate for Machine SSL. The name is vmca_issued_key.key.

   • The final step will ask you to Please provide the signing certificate of the Machine SSL certificate. You will need to find the root certificate that is issued by the CA.

7. It will take a little while to run and update all the different locations of the cert. Next, check your browswer for a valid certificate.