Replace vCSA 6.5u1 certificate by an ADCS signed certificate

If you are using vCSA 6.x, maybe you want to replace the self-signed certificate by a certificate signed with your enterprise to avoid security alert in browser. Active Directory Certificate Services is an enterprise PKI and in this topic, I’ll show you how to replace vCSA 6.5u1 certificate by a custom certificate.

By replacing the certificate, your browser will not warn you anymore because of untrusty certificate and you get stronger security.

Requirements

To follow this topic, you need a working PKI based on AD CS. The root and intermediate certificates must be distributed on your computer. You need also a working vCSA 6.5u1 with SSH and bash enabled.

Generate a certificate request

First of all, connect to the vCSA by using SSH and launch the bash by typing Shell. Then run /usr/lib/vmware-vmca/bin/certificate-manager. On the first prompt, choose option 1.

Enter administrator credentials and choose again the number 1.

Then specify the following options:

  • Output directory path: path where will be generated the private key and the request
  • Country: your country in two letters
  • Name: The FQDN of your vCSA
  • Organization: an organization name
  • OrgUnit: type the name of your unit
  • State: country name
  • Locality: your city
  • IPAddess: provide the vCSA IP address
  • Email: provide your E-mail address
  • Hostname: the FQDN of your vCSA
  • VMCA Name: the FQDN where is located your VMCA. Usually the vCSA FQDN

Once the private key and the request is generated, type the following command in order to connect with WinSCP to your vCSA.

Download WinSCP from this location and install it. Configure the connection as the following:

Once connected to your vCSA, download the vmca_issued_csr.csr file.

Sign the request with ADCS

Open the certification authority console and right click on the name of your CA. Select All Tasks | Submit new request…. Then select the CSR file you have downloaded from vCSA.

Then navigate to pending request and right click on the request. Select All TasksIssue.

Now navigate to issued certificate and double click on the certificate you just issued. Then navigate to DetailsCopy to file.

Export the certificate in Base-64 encoeded X.509 format.

With WinSCP, copy the signed certificate and the CA certificate to the vCSA.

N.B: If your PKI is based on a multi-tier (Root CA and Sub Cas), you need to concatenate each CA certificate of the certification chain in a .PEM file.

Replace vCSA 6.5u1 certificate

Run again /usr/lib/vmware-vmca/bin/certificate-manager and select option 1. Specify administrator credentials and this time select option 2.

Then specify the signed certificate, the private key and the CA certificate (or a concatenated PEM file with all CA certificates, in case of multi-tier PKI).

If the certificate is good, you should see that each service is updated. When all service is updated, the vCSA restart.

N.B: I have seen in production that the certificate replacement doesn’t work because of plugin. In this case, you’ll see which service make the issue. Disable the plugin and try again.

Once vCSA has restarted, connect to the Web Service by using a Browser. You should see your custom certificate as below:

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

16 comments

  1. Hi! It’s cool guide, but after vcsa has been restarted in my browser I see error. Certificate is not trusted. I used a vsca name rn-vcsa.vmware.firma.com. What am I doing wrong ?

  2. Perfect! Thank you for this step-by-step guide )))

  3. Hi,

    I’ve just found the solution here: https://kb.vmware.com/s/article/2136693

    Kind regards!

  4. Does the certificate require having the short name as a SAN? i.e. vcsa.domain.local with SAN of vcsa?

  5. Can you do the same with CA local? because from my AD the CA console doesn´t recognize the CSR file, just .req, .txt, .cmc .der not .csr as request file 🙁

  6. The request does not contain a certificate template extension or the certificate template request attribute …. what about that error when trying to submit

  7. Grigori Solonovitch

    It works only using this 3 files with VCSA 6.5 Update 3:

    signed VCSA certificate file vcsa_issued_csr_cer
    +
    private VCSA key file vcsa_issued_key.key
    +
    concatenated intermediate + root PEM file (copy/paste in vi editor) file vcsa_issued_con.pem

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Step-by-step: Migrate Windows vCenter server to vCSA 6.5u1

Last week I wrote a topic about how to upgrade an old VMware vCenter Server ...

Step-by-Step: Upgrade VMware vCenter Server Appliance 5.5 to 6.5u1

With the release of VMware 6.5(u1), lot of customers upgrade or migrate their vCenter to ...

Authenticate to vCenter from Active Directory credentials

By default, when you install vCenter, a SSO domain is deployed. When you authenticate on ...