Replace vCSA 6.5u1 certificate by an ADCS signed certificate

If you are using vCSA 6.x, maybe you want to replace the self-signed certificate by a certificate signed with your enterprise to avoid security alert in browser. Active Directory Certificate Services is an enterprise PKI and in this topic, I’ll show you how to replace vCSA 6.5u1 certificate by a custom certificate.

By replacing the certificate, your browser will not warn you anymore because of untrusty certificate and you get stronger security.

Requirements

To follow this topic, you need a working PKI based on AD CS. The root and intermediate certificates must be distributed on your computer. You need also a working vCSA 6.5u1 with SSH and bash enabled.

Generate a certificate request

First of all, connect to the vCSA by using SSH and launch the bash by typing Shell. Then run /usr/lib/vmware-vmca/bin/certificate-manager. On the first prompt, choose option 1.

Enter administrator credentials and choose again the number 1.

Then specify the following options:

  • Output directory path: path where will be generated the private key and the request
  • Country: your country in two letters
  • Name: The FQDN of your vCSA
  • Organization: an organization name
  • OrgUnit: type the name of your unit
  • State: country name
  • Locality: your city
  • IPAddess: provide the vCSA IP address
  • Email: provide your E-mail address
  • Hostname: the FQDN of your vCSA
  • VMCA Name: the FQDN where is located your VMCA. Usually the vCSA FQDN

Once the private key and the request is generated, type the following command in order to connect with WinSCP to your vCSA.

Download WinSCP from this location and install it. Configure the connection as the following:

Once connected to your vCSA, download the vmca_issued_csr.csr file.

Sign the request with ADCS

Open the certification authority console and right click on the name of your CA. Select All Tasks | Submit new request…. Then select the CSR file you have downloaded from vCSA.

Then navigate to pending request and right click on the request. Select All TasksIssue.

Now navigate to issued certificate and double click on the certificate you just issued. Then navigate to DetailsCopy to file.

Export the certificate in Base-64 encoeded X.509 format.

With WinSCP, copy the signed certificate and the CA certificate to the vCSA.

N.B: If your PKI is based on a multi-tier (Root CA and Sub Cas), you need to concatenate each CA certificate of the certification chain in a .PEM file.

Replace vCSA 6.5u1 certificate

Run again /usr/lib/vmware-vmca/bin/certificate-manager and select option 1. Specify administrator credentials and this time select option 2.

Then specify the signed certificate, the private key and the CA certificate (or a concatenated PEM file with all CA certificates, in case of multi-tier PKI).

If the certificate is good, you should see that each service is updated. When all service is updated, the vCSA restart.

N.B: I have seen in production that the certificate replacement doesn’t work because of plugin. In this case, you’ll see which service make the issue. Disable the plugin and try again.

Once vCSA has restarted, connect to the Web Service by using a Browser. You should see your custom certificate as below:

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

Leave a Reply

x

Check Also

Authenticate to vCenter from Active Directory credentials

By default, when you install vCenter, a SSO domain is deployed. When you authenticate on ...

Connect vSphere 6.5 to iSCSI storage NAS

When you implement ESXi cluster, you need also a shared storage to store the virtual ...

Deploy a converged network with vSphere 6.5

With the increased network card rates, we are now able to let several flows pass ...