vCenter is installed with a self-signed certificate which usually displays a certificate warning when accessed by most browsers. Replacing the certificate is not easy in vCenter but can be done using the following process.
Before starting you need to create a template in the Windows Certificate Authority. The following article has detailed instructions:
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) - https://kb.vmware.com/s/article/2112009
Once the template is in place you can follow the instructions below:
1. SSH to vCenter server as root.
2. Enter “SHELL” to start the bash shell.
3. Run /usr/lib/vmware-vmca/bin/certificate-manager. Menu below is displayed:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
4. Select option 1 (Replace Machine SSL certificate with Custom Certificate).
5. After being prompted for credentials another menu will be displayed.
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]:
6. Select option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate).
7. You will be prompted for a number of values. Important ones are Output directory path (/tmp/), name (FQDN of vCenter server), Hostname (FQDN of vCenter server).
8. Two files will be created in the specified folder (vmca_issued_key.key and vmca_issued_csr.csr)
9. Use Winscp to transfer the vmca_issued_csr.csr off the vCenter server.
10. Access the web enrolment page of your Domain CA (usually http://servername/certsvr/)
11. Select “Request a certificate” link.
12. Select “advanced certificate request” link.
13. Copy and paste the contents of the file vmca_issued_csr.csr into the field “Base-64-encoded certificate request”.
14. Select the “Certificate Template” that you should have created at the beginning of this process.
15. Press “Submit”
16. Select “Base 64 encoded”.
17. Download the certificate and certificate chain files.
18. Open the certificate chain file (by double clicking on it in Windows explorer) and export the CA certificate using Base-64-coded X.509 (.CER).
19. Winscp the certificate file and CA certificate file to the vCenter server.
20. SSH to the vCenter appliance as root.
21. Enter “SHELL” to start the bash shell.
22. Run sudo /usr/lib/vmware-vmca/bin/certificate-manager again.
23. Select option 1 (Replace Machine SSL certificate with Custom Certificate).
24. After being prompted for credentials another menu will be displayed.
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]:
25. Select option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
26. Prompted: Please provide valid custom certificate for Machine SSL.
27. Enter the filename for the certificate you just transferred via Winscp.
28. Prompted: Please provide valid custom key for Machine SSL.
29. Enter the key filename (/tmp/vmca_issued_key.key).
30. Prompted: Please provide the signing certificate of the Machine SSL certificate.
31. Enter the filename of the CA certificate you just transferred via Winscp.
32. Confirm replacement operation (Y).
33. May take a while to complete and display the message: Status : 100% Completed [All tasks completed successfully]
When it is finished then log into vCenter as normal and check the certificate of the site is as expected.
More detailed instructions here: http://vcloud-lab.com/entries/vcenter-server/How-to-replace-default-vCenter-VMCA-certificate-with-Microsoft-CA-signed-certificate