VMWare vSphere: Install a custom a certificate in VCSA Appliance

Hi,

for a higher security level it is recommended to install own (trusted) certificates in to VMware’s vCenter VCSA appliance.

Prepare your certificates. In parentheses the filenames I use for this example. You need:

  • The key and the corresponding certificate in pem (Base64) format (vcenter.key, vcenter.pem)
  • The whole certificate chain:
    • The root certificate in pem (Base64) in format (root.pem)
    • And if the host certificate is signed by a intermediate CA also these one in pem (Base64) format (intermediate.pem)

Copy all files to your vCenter appliance to the root’s home /root/tls. You can use sftp. Note: The sftp server is not start by default. This post describe how to copy files to the appliance.

First of all create a snapshot of the vCenters VM so that you can, in case of trouble, go back. Also make a note on which Host the vCenter runs.

Establish an ssh connection. If copied, perpare the files. Check if all certificates are in PEM format. This can be recognized by

Command> shell
Shell access is granted to root
root@vCenter /root/tls # cat *.pem
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Then copy the root and the intermediate certificate into one file trustchain.pem

root@vCenter /root/tls # cat intermediate.pem > trustchain.pem
root@vCenter /root/tls # cat root.pem >> trustchain.pem

You can check if key, certificate and trustchain “fits” together. The VCSA import script does this too.

root@vCenter /root/tls # openssl verify -CAfile trustchain.pem vcenter.pem
vcenter.pem: OK

Check if the key belongs to the certificate. The md5 hash must be match (make make note the md5 hash for the check after installing the certificate):

root@vCenter /root/tls # openssl x509 -noout -modulus -in vcenter.pem | md5sum
ce679643a66e7cfebafc8f3cf2846d11  -
root@vCenter /root/tls # openssl rsa -noout -modulus -in vcenter.key| md5sum
ce679643a66e7cfebafc8f3cf2846d11  -

Run the lsdoctor tool to recognized some previous certifcate issues. An typical error is

root@vCenter [ ~/lsdoctor-master ]# python lsdoctor.py -l

    ATTENTION:  You are running a reporting function.  This doesn't make any changes to your environment.
    You can find the report and logs here: /var/log/vmware/lsdoctor

2021-12-12T10:29:26 INFO main: You are reporting on problems found across the SSO domain in the lookup service.  This doesn't make changes.
2021-12-12T10:29:27 INFO live_checkCerts: Checking services for trust mismatches...
2021-12-12T10:29:27 INFO generateReport: Listing lookup service problems found in SSO domain
2021-12-12T10:29:27 ERROR generateReport: site\vCenter.myDomain.org (Update Manager) found SSL Trust Mismatch: Please run python ls_doctor.py --trustfix option on this node.

Is such errors occures, run lsdoctor wih the trustfix switch

root@vCenter [ ~/lsdoctor-master ]# python lsdoctor.py --trustfix
2021-12-12T10:32:33 INFO findAndFix: Attempting to reregister ec039d94-9443-416d-a002-fc9e8a8fb96d for vCenter.myDomain.org
2021-12-12T10:32:34 INFO findAndFix: We found 45 mismatch(s) and fixed them :)
2021-12-12T10:32:34 INFO main: Please restart services on all PSC's and VC's when you're done.

Then install the certificate. You need the Administrator@vsphere.local user’s password.
Choose Option 1 in the next menu choose option 2

root@vCenter /usr/lib/vmware-vmca/bin/certificate-manager
...
1. Replace Machine SSL certificate with Custom Certificate
Enter username [Administrator@vsphere.local]:
...
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Please provide valid custom certificate for Machine SSL.
File : /root/tls/vcenter.pem

Please provide valid custom key for Machine SSL.
File : /root/tls/vcenter.key

Please provide the signing certificate of the Machine SSL certificate
File : /root/tls/trustchain.pem
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? :y

This may take a while…

Check if the new certificate is in place

root@vCenter /root/tls # openssl s_client -host vCenter.myDomain.org -port 443 2> /dev/null | openssl x509 -noout -modulus | md5sum
ce679643a66e7cfebafc8f3cf2846d11  -

Michael

One thought on “VMWare vSphere: Install a custom a certificate in VCSA Appliance”

  1. When trying this, and the web-UI way of setting the certificate I can not get vcenter to present the full chain. Only the first certificate in trustchain.pem is being presented when connecting.
    So if I upload the correct way:

    ——
    Intermediate
    Root
    ——

    Only the intermediate is presented.

    Is there any way to fix this?

Leave a Reply