Today I will walk through replacing the SSL certificates on a vSphere 6.5 PSC appliance. This includes replacing the Machine Certificates, User Solution Certificates and the Trusted Root Certificates. This is the same process you will be familiar with from vSphere 6.0 U2 onwards certificate replacement. All certificates will be issued from Microsoft Certificate Authority. The advantage of doing this is that any subsequent component such as vCenter Server Appliance and ESXi hosts will be automatically issued a certificate from the PSC as it will be acting as a subordinate certificate authority.
Before we begin, lets take a look at the default certificates that are installed with the PSC. You can login by opening the webpage https://psc_ip_or_hostname/psc. Use the SSO credentials for your vSphere.local domain to login. Note the time stamps as these will change once the certificates are replaced.
Solution User Certificates:
Trusted Root Certificates:
There is the option to click on More Options for each of these certificates to see their issuing path.
Let’s continue with the certificate replacement.
Step 1- Generating Certificate Signing Request (CSR)
Use a tool such as PUTTY to connect to the PSC over SSH and log in as root
Type Shell to grant shell access to root
now change shell to bash with command chsh -s /bin/bash root and then change directory to /usr/lib/vmware-vmca/bin
Next, run the command ./certificate-manager to bring up the screen as below
We are gong to replace the root certificate with custom signing certificate and replace all certificates. Select option 2 for this. Note this also encompasses option 3 to replace Machine SSL certificate. Note in the screenshot below I have also agreed to the option, entered my SSO credentials and started the process for configuring the MACHINE_SSL_CERT.cfg which will be used to generate the CSR later on. More info here in this VMware KB LINK
Fill in template as appropriate to your organisation
Remember at the beginning of this article we took at look at the 4 default certificates? There are config files for each. Here are the next 3.
Follow these steps as below
At this point, some files will have been created in the /tmp/ path specified above. Leave the putty session open but do not continue. We will come back to this later.
Step 2 – Generating the certificates
For the next step you will need a tool such as WinSCP to log onto the PSC and grab the files that have just been generated and placed in the /tmp/ directory
Log into the PSC
change to the /tmp/ directory and grab the vmca_issued_csr.csr and vmca_issued_key.key files. Copy them to a local destination of your choice.
Now open the vmca_issued_csr.csr file in your favourite text editor and copy the contents. This will be used to generate the new certificate from the Microsoft certificate Authority.
Note, the following steps assume you already have a Microsoft Certificate Authority infrastructure in place and appropriate certificate templates.
Log into certificate authority and click Request a Certificate
Select advanced certificate request
Paste in the CSR you copied earlier and select an appropriate certificate template and click submit.
Choose Base 64 encoded certificate and click download certificate
Save the file with the other two files you grabbed from the PSC earlier. I called it root_signing_certificate
Next, we need to grab the certificate chain from the CA to include the root certificate and any intermediate certificates you may have. Head back to the main page on the certificate server and click Download a CA Certificate as shown below
Download the CA certificate, Base 64 encoded
Save the file as something like domain_root_ca
Open the domain_root_ca certificate you just saved with your favorite text editor and copy the contents.
Then paste the contents into the root_signing_certificate we generated earlier. This will add the full certificate chain to the certificate for when we import the certificate to the PSC.
Save the file.
Step 3 – Import the certificates into the PSC
We need to now get the newly created certificate back onto the PSC. Fire up WinSCP again and copy the root_signing_certificate file back to the /tmp/ location on the PSC.
If you recall, we left the SSH session open on the PSC. We can now continue with the steps on the PSC. Choose option 1 to continue importing custom certificates
Choose yes to replace root certificate
This will then run through and update the certificate for the services
And that’s the certificates replaced
Step 4 – Verify certificate replacement
Once the above is complete, log back into the PSC Web UI and browse to certificate management. Check the time stamp on the Machine Certificates and the Solution User Certificates. They will have changed as the certificates have been replaced.
There will also be a new root certificate in the list. You can check the certificate chain and issuer by clicking on Show Details.
And you’re done!