If you are using vCSA 6.x, maybe you want to replace the self-signed certificate by a certificate signed with your enterprise to avoid security alert in browser. Active Directory Certificate Services is an enterprise PKI and in this topic, I’ll show you how to replace vCSA 6.5u1 certificate by a custom certificate.
By replacing the certificate, your browser will not warn you anymore because of untrusty certificate and you get stronger security.
To follow this topic, you need a working PKI based on AD CS. The root and intermediate certificates must be distributed on your computer. You need also a working vCSA 6.5u1 with SSH and bash enabled.
Generate a certificate request
First of all, connect to the vCSA by using SSH and launch the bash by typing Shell. Then run /usr/lib/vmware-vmca/bin/certificate-manager. On the first prompt, choose option 1.
Enter administrator credentials and choose again the number 1.
Then specify the following options:
- Output directory path: path where will be generated the private key and the request
- Country: your country in two letters
- Name: The FQDN of your vCSA
- Organization: an organization name
- OrgUnit: type the name of your unit
- State: country name
- Locality: your city
- IPAddess: provide the vCSA IP address
- Email: provide your E-mail address
- Hostname: the FQDN of your vCSA
- VMCA Name: the FQDN where is located your VMCA. Usually the vCSA FQDN
Once the private key and the request is generated, type the following command in order to connect with WinSCP to your vCSA.
Download WinSCP from this location and install it. Configure the connection as the following:
Once connected to your vCSA, download the vmca_issued_csr.csr file.
Sign the request with ADCS
Open the certification authority console and right click on the name of your CA. Select All Tasks | Submit new request…. Then select the CSR file you have downloaded from vCSA.
Then navigate to pending request and right click on the request. Select All Tasks | Issue.
Now navigate to issued certificate and double click on the certificate you just issued. Then navigate to Details | Copy to file.
Export the certificate in Base-64 encoeded X.509 format.
With WinSCP, copy the signed certificate and the CA certificate to the vCSA.
N.B: If your PKI is based on a multi-tier (Root CA and Sub Cas), you need to concatenate each CA certificate of the certification chain in a .PEM file.
Replace vCSA 6.5u1 certificate
Run again /usr/lib/vmware-vmca/bin/certificate-manager and select option 1. Specify administrator credentials and this time select option 2.
Then specify the signed certificate, the private key and the CA certificate (or a concatenated PEM file with all CA certificates, in case of multi-tier PKI).
If the certificate is good, you should see that each service is updated. When all service is updated, the vCSA restart.
N.B: I have seen in production that the certificate replacement doesn’t work because of plugin. In this case, you’ll see which service make the issue. Disable the plugin and try again.
Once vCSA has restarted, connect to the Web Service by using a Browser. You should see your custom certificate as below: