vSphere 6.0 - Configure VMware Certificate Authority as a subordinate CA

 in vCentre / VMware / vSphere 6.0 by

With vSphere 6 vCenter now includes the Platform Services Controller (PSC) which runs services such as SSO, it also includes VMware Certificate Authority (VMCA). VMCA is installed on an embedded vCenter server or an external PSC. You can configure VMCA into three mode - VMCA Default (self-signed certificates are deployed to services) VMCA Enterprise (acts as a subordinate to your Enterprise CA, services are signed and trusted for your internal PKI infrastructure) and Custom (VMCA is bypassed and custom 3rd party certificates are added to all services manually).

Its common to replace the default certificates and in 5.x the method is similar to Custom. Setting VMCA Enterprise up is handy for deployments allowing your VMCA to dish out certificates. It will also regenerate existing default certificates without the need to remove the hosts from vCentre first. Its worth noting for some organisations this will be a security risk so its not for everyone.

The following will show the steps to be able to use your VMCA as a subordinate CA. I am using the embedded deployment and using the vCenter virtual appliance, my Enterprise CA is Windows 2012 R2.

VMware KB to create the CA templates found here

VMware KB to set the VMCA as a subordinate found here

First log onto the Enterprise CA and open Certification Authority in the admin tools. Right click Certificate Templates - Manage. A new console will open then find Subordinate Certification Authority - right click - Duplicate Template. Call the new template vSphere 6.0 VMCA. Check the compatibility tab and the extension tabs are as follows.

Click OK and close

Go back to the Certification Authority. Right click Certificate Template - New - Certificate Template to Issue. Find your new template and click OK to issue

Now you need to prepare the vCenter appliance. I will be using WinSCP to copy the request files off the appliance. If you connect to the appliance you will receive the following error

Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B.

To enable WinSCP first SSH onto the vCentre appliance and log in as root. Enter the following to change the default shell to Bash

>shell.set -enable True

>shell

>chsh –s “/bin/bash” root

Now you will be able to connect using WinSCP

We move on to generate the certificate requests. Connect to the host using WinSCP as root and create a new folder in the /tmp folder called ssl. Then SSH onto the vCenter appliance and enter the following, you should now default to Bash

>/usr/lib/vmware-vmca/bin/certificate-manager

Select option 2 then option 1 and provide a location on the appliance, enter the the folder we just created

>/tmp/ssl

Dont close the SSH session as we will come back it. You will now have a key file and a request file in the location specified. Copy these files onto your computer.

Browse to your CA or the server that has the web enrolment installed. Http://servername/certsrv. Choose Request a certificate - advanced certificate request - submit a certificate request by using a base-64-encoded CMC or PKCS #file…

Open the request file in a test editor and copy the content into the Base-64-encoded certificate request box and select the template you created previously - vSphere 6.0 VMCA

Submit and download as Base 64 - save to the local machine. Browse back to http://servername/certsrv and click Download CA certificate. Again select Base 64 and save to the local machine.

Rename the certificate you downloaded and the root certificate.

Open the root.cer file in a word editor and copy the content to your clip board. Now open up the servername.cer file in a word editor and paste the copied content from the root certificate to the bottom of the file. So it looks like the following

Save this file and copy it onto the vCentre appliance /tmp/ssl

Go back to your SSH session and select 1 Continue to importing Custom certificate (s) and key (s) for VMCA Root Signing certificate)

Add the location of the new .cer file

>/tmp/ssl/lab-vc01.vjenner.com.cer

Add the location of the key file

>/tmp/ssl/root_signing_cert.key

Run through the prompted details, make sure the details are correct for your organisation. The hostname must be correct to the hostname of the appliance. Wait for it to complete

Thats it! VMCA is now a subordinate for your Enterprise CA.

Open the web client to check it has applied correctly

You can now add you ESXi hosts into vCenter.

Important note - you have to wait 24 hours before you can add any hosts if they have not already been added to vCenter. You will receive a Start Time Error (70034). VMware KB for this error is here

After 24 hours you can add the hosts into vCentre and the certificate will be updated

Leave a comment

Your email address will not be published. Required fields are marked *