Replace SSL certificates on VMware PSC v6.5


Today I will walk through replacing the SSL certificates on a vSphere 6.5 PSC appliance. This includes replacing the Machine Certificates, User Solution Certificates and the Trusted Root Certificates. This is the same process you will be familiar with from vSphere 6.0 U2 onwards certificate replacement. All certificates will be issued from Microsoft Certificate Authority. The advantage of doing this is that any subsequent component such as vCenter Server Appliance and ESXi hosts will be automatically issued a certificate from the PSC as it will be acting as a subordinate certificate authority.

Before we begin, lets take a look at the default certificates that are installed with the PSC. Note the time stamps as these will change once the certificates are replaced.

Machine Certificates:

cert_replace_1

Solution User Certificates:

cert_replace_2

Trusted Root Certificates:

Cert Replace 3

There is the option to click on More Options for each of these certificates to see their issuing path.

Lets continue with the certificate replacement.

Step 1- Generating Certificate Signing Request (CSR)

Use a tool such as PUTTY to connect to the PSC over SSH and login as root

cert_replace_4

Type Shell to grant shell access to root

Cert replace 5

now change shell to bash with command chsh -s /bin/bash root and then change directory to /usr/lib/VMware-vmca/bin

cert_replace_6

Next run the command ./certificate-manager to bring up the screen as below

We are gong to replace the root certificate with custom signing certificate and replace all certificates. Select option 2 for this. Note this also encompasses option 3 to replace Machine SSL certificate. Note in the screenshot below I have also agreed to the option, entered my SSO credentials and started the process for configuring the MACHINE_SSL_CERT.cfg which will be used to generate the CSR later on. More info here in this VMware KB LINK

cert_replace_8

Fill in template as appropriate to your organisation

cert_replace_9jpg

Remember at the beginning of this article we took at look at the 4 default certificates? There are config files for each. Here are the next 3.

cert_replace_11

Follow these steps as below

cert_replace_12b

cert_replace_13

At this point, some files will have been created in the /tmp/ path specified above. Leave the putty session open but do not continue. We will come back to this later.

Step 2 – Generating the certificates

For the next step you will need a tool such as WinSCP to log onto the PSC and grab the files that have just been generated and placed in the /tmp/ directory

Log into the PSC

cert_replace_14

change to the /tmp/ directory and grab the vmca_issued_csr.csr and vmca_issued_key.key files. Copy them to a local destination of your choice.

cert_replace_15

Now open the vmca_issued_csr.csr file in your favourite text editor and copy the contents. This will be used to generate the new certificate from the Microsoft certificate Authority.

cert_replace_16

cert_replace_17

Note, the following steps assumes you already have a Microsoft Certificate Authority infrastructure in place and appropriate certificate templates.

Log into certificate authority and click Request a Certificate

cert_replace_18

Select advanced certificate request

cert_replace_19

Paste in the CSR you copied earlier and select an appropriate certificate template and click submit.

cert_replace_20

Choose Base 64 encoded certificate and click download certificate

cert_replace_21

Save the file with the other two files you grabbed from the PSC earlier. I called it root_signing_certificate

cert_replace_22

Next we need to grab the certificate chain from the CA to include the root certificate and any intermediate certificates you may have. Head back to the main page on the certificate server and click Download a CA Certificate as shown below

cert_replace_23

Download the CA certificate, Base 64 encoded

cert_replace_24

Save the file as something like domain_root_ca

cert_replace_25

Open the domain_root_ca certificate you just saved with your favourite text editor and copy the contents.

cert_replace_26

Then paste the contents into the root_signing_certificate we generated earlier. This will add the full certificate chain to the certificate for when we import the certificate to the PSC.

cert_replace_27

Save the file.

Step 3 – Import the certificates to the PSC

We need to now get the newly created certificate back onto the PSC. Fire up WinSCP again and copy the root_signing_certificate file back to the /tmp/ location on the PSC.

cert_replace_28

If you recall, we left the SSH session open on the PSC. We can now continue with the steps on the PSC. Choose option 1 to continue importing custom certificates

cert_replace_30

cert_replace_29

Choose yes to replace root certificate

This will then run through and update the certificate for the services

And that’s the certificates replaced

Step 4 – Verify certificate replacement

Once the above is complete, log back into the PSC Web UI and browse to certificate management. Check the time stamp on the Machine Certificates and the Solution User Certificates. They will have changed as the certificates have been replaced.

Cert 33

cert_replace_34

There will also be a new root certificate in the list. You can check the certificate chain and issuer by clicking on Show Details.

cert_replace_35

 

And your done!

 

Ian

 

Leave a comment

Your email address will not be published. Required fields are marked *