Replacing vCenter SSL machine certificates in a multi-tier PKI environment - Part 2
3 min read

Replacing vCenter SSL machine certificates in a multi-tier PKI environment - Part 2

Replacing vCenter SSL machine certificates in a multi-tier PKI environment - Part 2

So in part 1 we created the certificate template we needed, added the CA chain of trust to the VCSA and generated the CSR file we need in order to get the SSL certificate that we need. In this post we'll grab that CSR, issue the certificate and then install it in the VCSA.

First off - connect your SCP client of choice to the VCSA, logging in as the root user.

Create yourself a new directory locally for the files that you'll need, then browse to the directory where you created the CSR in the previous steps - in my case this is /tmp

Not that there is a .csr file (the certificate signing request) and a .key file (the private key). Download the CSR file to your newly created folder.

Now, back in your web browser go back to your CA's web enrollment page - this time we're going to download your issuing CA's certificate, and then create the certificate file that the VCSA needs.

First download the CA certificate in Base64 format, and save it to the directory with the CSR stored locally - we'll need this in a few minutes.

Now click Home>Request A Certificate>Advanced Certificate Request.

Copy the contents of your CSR file into the window on your CA, select the newly created certificate template and click Submit.

Download your newly generated certificate into the directory you created earlier. Again, this must be Base64 format.

Open the issuing CA certificate and the newly generated VCSA certificate in your text editor

Copy the entire contents of the issuing CA certificate file and paste it into the the VCSA certificate file directly at the end of the existing certificate info as shown below

Save the file with a new name, then upload this back to the VCSA over SCP, as well as the issuing CA certificate

Back to PuTTY now

Press 1 to continue the process to import your custom certificate and key for the Machine SSL Certificate. Complete the path to the location on the VCSA of your newly minted certificate chain, CA certificate and private key - I put all of these in /tmp

Hit y and enter, and cross your fingers. All being well this will finish without a hitch...

It'll usually take 2 or 3 minutes, once you get something like this you're good to go!

Let's see, shall we?

So there we have it - now the machine certificate on our VCSA is issued by our corporate multi-tier PKI, and the rest of the certs in use for the services are managed by VMCA - this is known as Hybrid SSL, and is the recommended best practice for certificates with VCSA.