HOWTO: Replace a VMCA certificate via the GUI in vSphere 6.5 with PSC & VCSA

Prerequisites

  • A VMCA SSL Certificate (such as root_signing_cert.cer)
  • A RSA Private Key (such as root_signing_cert.key)

Process Overview

The high level steps are as followed:

  1. Log into the External Platform Services Controller.
    • Replace the Root Certificate.
  2. Connect to the PSC Appliance.
    • Renew the Machine SSL Certificate.
    • Renew the Solution User Certificate.
  3. Connect to the VCSA Appliance.
    • Renew the Machine SSL Certificate.
    • Renew the Solution User Certificate.
  4. Reboot the Platform Services Controller.

Log into External Platform Services Controller

Navigate to https://psc-appliance.fqdn/psc

Log in using the SSO Administrator account (e.g. administrator@vsphere.local) and password.

Renew the Root Certificate

Click Certificate Authority > Root Certificate.

Click Replace Certificate.

Click Browse and locate the Private Key file and click Open.

Click Browse and locate the VMCA Certificate file and click Open.

Click OK.

Connect to the Platform Services Controller

Click Certificate Management.

Enter the SSO Administrator password and click Submit.

Renew the Machine SSL Certificate

Click the Machine Certificates tab.

Select the __MACHINE_CERT and click Renew.

Click Yes.

Renew the Solution User Certificates

Click the Solution User Certificates tab.

Click Renew All.

Click Yes.

Click Logout.

Connect to the vCenter Server

Enter the vcenter.fqdn into the Server IP/FQDN text box and then enter the password for the SSO Administrator.

Click Submit.

Renew the Machine SSL Certificate

Click the Machine Certificates tab.

Select the __MACHINE_CERT and click Renew.

Click Yes.

Renew the Solution User Certificates

Click the Solution User Certificates tab.

Click Renew All.

Click Yes.

Click Logout.

Reboot the Platform Services Controller

Note: This can be completed in multiple ways but this is the way I did it.

Click Appliance Settings.

Click the VMware Platform Services Appliance link.

Enter username as root and the root password, then click Logon.

Click Reboot.

Click Yes.

There we have it, your VCSA should now be acting as a Subordinate CA using the VMCA solution!

18 Comments

  1. Hi Abraham,

    I haven’t had the opportunity to try it on embedded deployment, but you should have to do just step 1 and step 2 on the VCSA instead of the dedicated PSC and then in step 4 reboot the VCSA rather than the PSC.

    Just be sure to snapshot the appliance first!

    Chris

  2. Its nice post, you made things very easy and understandable, Do we have to use same certificate and key, in case of multiple external platform service controller 6.5. If not what would be the steps for applying external CA signed cer,. In multiple platform service controller

  3. Vitthal,

    Does the VMCA Sub-CA Certificate need to use a custom template when generating the certificate from the Microsoft ADCS web portal, or will the pre-defined “Subordinate Certificate Authority” certificate template suffice?

  4. Hello,
    I have replaced all the certs, but how do you update the webcert on the PSC over on the site using port 5480? This is the only cert still using the old default CA provisioned cert. The other site using https://address/psc has been updated. The only one that hasn’t is the site using port 5480. I have rebooted the PSC after replacing the certs. Thanks in advanced!

    1. Hi Dustin,

      You are talking about the VAMI (:5480) certificate which (in v6.5) according the /opt/vmware/etc/lighttpd/lighttpd.conf file is using the PEM certificate located at /etc/applmgmt/appliance/server.pem. You could either check the /etc/applmgmt/appliance/server.pem file has been updated with the CA certificate OR you could repoint the lighttpd.conf file to a new PEM encoded certificate by replacing/updating the ssl.pemfile = “/etc/applmgmt/appliance/server.pem” in the lighttpd.conf file.

      Interestingly, the /opt/vmware/etc/lighttpd/lighttpd.orig.conf file actually points it to the /opt/vmware/etc/lighttpd/server.pem file. A Pem file is basically the leaf, rsa key and certificate chain combined in a single file.

      If you do change the file location then you will need to run “service vami-lighttpd restart” from an SSH session to restart the service.

      MAJOR CAVEAT – I’m unsure about the support status of changing the :5480 certificate in this way.

      Chris

      1. Is there a better way? I’m looking to port-forward a small lab vsphere, but I want to purchase a comodo certificate, and apply it to everything that moves, especially the web certificate.

        1. Hi,

          It depends on what you mean by better! Depending on the security requirements of a production environment, it is actually recommended to have a hybrid approach. In this configuration, the VMware CA uses its default certificate (and gives out those certificates to esxi) but you replace the web-client certificate with a trusted certificate. The VMCA certificate is a sub-CA certificate so is not a “normal” web SSL certifcate. For the Web certificate, if you are buying rather than minting your own certificate from a Windows CA, then you could use a wild card but this is NOT officially supported by VMware.

          See https://kb.vmware.com/s/article/2111219 for more information.

          Chris

      2. The KB to fix this issue is in:
        https://kb.vmware.com/s/article/2136693

        I’ve verified that KB works in 6.5 on my External PSC.
        In 6.5, that KB only mentions manually configuring the “ssl.ca-file” parameter. I was wondering about the rest of the ssl files, but it appears that when vami-lighttp is restarted, the rest of the files, such as server.pem are automatically reconfigured.

  5. Hello Christopher,

    I try to change my vCenter CA by an authority generated with XCA and not AD because I haven’t an AD on my lab.
    All goes well until the last reboot, all servic es are running, but the UpdateManager Plugin isn’t available anymore. I tried many times, with updating the RootCert.pem file, I also tried to refresh the certs using the /lib/vmware-updatemgr/bin/updatemgr-util refresh-certs. This last command returns no errors, the certificates files are updated, but the plugin isn’t available.

    Do you have any ideas on what can cause the issue ?

  6. I’m using vcsa 6.5u1e. I try to do the replacement through gui, and I’ve also tried through the CLI.
    I had the same behavior with the CLI, all services where correctly updated, but not the update manager. So the script did the automatic rollback.

Leave a Reply