KB - VMWARE001: How to replace a vCenter (vSphere) Server Machine SSL Certificate from self-signed to CA-signed?.
VMWare is still my first choice
KB ID
VMWARE001
Overview
This comprehensive guide provides detailed instructions on replacing the default self-signed SSL certificate on a vCenter Server Appliance (vSphere) with a Certificate Authority (CA)-signed certificate issued by a Certificate Authority.
Leveraging vSphere’s inbuilt GUI certificate manager, the process includes exporting Certificate Signing Requests (CSRs), configuring the CA to issue certificates, importing the signed certificates, and updating the vCenter Server settings.
Table of Contents
-
Why Replace the Default SSL Certificate?
2.1 Benefits of Using a Domain Controller CA-signed Certificate -
Step 1: Take a Snapshot of Your VCSA VM
6.1 Step 1a: Log in to your vSphere
6.2 Step 1b: Take a snapshot of your VCSA VM -
Step 2: Create and Issue a Certificate Template for Web Enrollment
7.1 Step 2a: Log in to your Windows Server installed with the Certificate Authority role
7.2 Step 2b: Launch Certificate Authority
7.3 Step 2c: Launch Certificate Template Console
7.4 Step 2d: Create and Issue a New Certificate Template that is Compatible with vSphere
7.5 Step 2e: Change the Permission of the Newly Issued Certificate Template so that it can be Used to Enroll in the Web Enrollment -
Step 3: Generate CSR from the vSphere Certificate Manager GUI and Generate a Certificate to be Used in the vSphere Client
8.1 Step 3a: Generate CSR
8.2 Step 3b: Import the CSR into the Web Enrollment URL, and Download the Base64 Certificate, and Download and Convert the Domain Controller Certificate Chain into Base64 from the CA -
Step 4: Import the CA SSL Certificate and CA Chain Certificate into vSphere
9.1 Step 4a: Log in to the vSphere Web GUI
9.2 Step 4b: Select “Import and Replace Certificate”
9.3 Step 4c: Browse the respective files
9.4 Step 4d: Select “I have backed up vCenter Server and its associated database” and click next
9.5 Step 4e: Click Finish
Goals
The goal of this article is to guide administrators through the process of replacing the default self-signed SSL certificate on a vCenter Server Appliance with a Domain Controller CA-signed certificate.
Why Replace the Default SSL Certificate?
The default self-signed SSL certificate on vCenter Server is not trusted by other systems. Replacing it with a CA-signed certificate enhances security, ensures trust, and complies with organisational policies, while enabling seamless integration with domain services.
Benefits of Using a Domain Controller CA-signed Certificate
- Trust: Trusted by all major systems and browsers.
- Security: Provides stronger encryption and protection.
- Compliance: Meets security standards and regulations.
- Integration: Ensures smooth compatibility with Active Directory and network services.
UAT Scenario
Assuming that vCenter Server has been deployed and Certificate Authority and its web services roles have been installed
In this scenario:
Characters:
- Xiao Ming (IT Administrator) – Responsible for managing the vCenter and CA server and ensuring the security of the VMware infrastructure.
- Da Ming (Manager) – Focuses on maintaining security compliance across the organisation.
Initial Discussion
Xiao Ming: “Da Ming, our VAPT report shows flagged out that our vCenter Server is still using the default self-signed SSL certificate. We need to replace it with a Domain Controller CA-signed certificate to improve security and ensure compliance.”
Da Ming: “I agree. A self-signed certificate could create security risks and trust issues. I think it is time we implement a trusted CA-signed certificate. Do you have a plan for this?”
Xiao Ming: “Yes, I have already outlined the steps. First, I will export a CSR from the vCenter Certificate Manager GUI, then we can use the Domain Controller’s certificate web enrollment service to issue the CA-signed certificate. After that, I will import it back into vCenter and update the server settings.”
Da Ming: “Great. Make sure to run a few tests to verify the installation is successful and that everything works without disruptions. We don’t want any downtime affecting operations.”
Testing and Validation
Xiao Ming and Da Ming begin testing the changes.
Da Ming: “I have verified that the new CA certificate is trusted by the browser and I have tested the login process for all users. So far, no issues with authentication, and everything is loading without certificate errors.”
Expected downtime for user.
10 Mins (Depends on how quickily IT Admins perform the steps)
Prerequisites
- Access to a vCenter Server Appliance (vSphere) with administrative privileges (Certificate Manager CLI).
- A Domain Controller with Certificate Authority and IIS Web Enrollment Services Installed.
- Access to Create, View, Edit, and Request Certificate Templates.
- Ability to export and import SSL certificates within the vCenter Server.
I am using vSphere 8, so the interface might look different on yours as compared to mine.
Step 1. Take a snapshot of your VCSA VM.
Step 1a: Log in to your vSphere
a. Log in to your vSphere web GUI with your admin credentials.
Step 1b: Take a snapshot of your VCSA VM.
a. Navigate to the VCSA VM, and go to the snapshots tab.
b. Click on “Take Snapshot”, uncheck the first option and click “Create”
c. Verify that your snapshot has been taken.
Step 2: Create and issue a certificate template for web enrollment
Step 2a: Log in to your Windows Server installed with the Certificate Authority role.
Step 2b: Launch Certificate Authority
Step 2c: Launch Certificate Template console
a. Right click on “Certificate Template”
b. Select “Manage”
c. You should see the Certificate Template console screen.
Step 2d: Create and Issue a new Certificate Template that is compatible with vSphere.
a. Right click on the “Web Server” Template
b. Select “Duplicate Template”
c. Navigate to the Compatibility Tab and configure as follows:
| Property | Value |
|---|---|
| Compatibility > Compatibility Settings > Certificate Authority and Cerificate Recipient | Windows Server 2012 and Windows 7 / Server 2008 R2 
|
d. Navigate to the Extensions Tab and configure as follows:
| Property | Value |
|---|---|
| Extensions > Application Policies > Edit | Remove all entries 
|
| Extensions > Basic Constraints > Edit | Check "Enable this extension" 
|
| Extensions > Key Usage > Edit | Tick "Signature is proof of origin (nonrepudiation)" and leave the others as default. 
|
e. Navigate to the General Tab and configure as follows:
| Property | Value |
|---|---|
| General | Configure it as you deem fit. 
|
f. Navigate back to the Certificate Authority console, and go to Certificate Template > New > Certificate Template to issue.
g. Select the Certificate template that you have created using c-e, and click Ok.
h. Select the Certificate template that you have created using c-e, and click Ok.
Step 2e: Change the permission of the newly issued Certificate Template so that it can be used to enroll in the Web Enrollment.
For ease of deployment, I am giving Full Control to “Everyone”, PLEASE DO NOT FOLLOW THIS AS IT IS NOT RECOMMENDED!
a. Right click on the new template in the “Certificate Template Console” and select “Properties”.
b. Go to Security, and add “Everyone”, and give “Full Control”
Step 3: Generate CSR from the vSphere Certificate Manager GUI and generate a certificate to be used in the vSphere Client.
Step 3a: Generate CSR
a. Log in to your vSphere web UI, and navigate to Administration > Certificate Management
b. Select “Generate Certificate Signing Request (CSR)”
c. Enter the following value as per your server: The contents are editable.
| Property | Value |
|---|---|
| Common name | fortress.conanzhang.tech |
| Organization | Facets of Conan ZHANG |
| Organization Unit | IT |
| Country | Singapore |
| State/Province | SG |
| Locality | SG |
| Email Address | [email protected] |
| Host | fortress.conanzhang.tech |
| Subject Alternative Name | fortress, fortress.tech.conanzhang, tech.conanzhang, 10.10.20.252 |
| Key Size | 2048 |
d: Copy / download the CSR
Step 3b: Import the CSR into the Web Enrollment URL, and download the Base64 certificate, and download and convert the Domain Controller Ceriifcate Chain into Base64 from the CA.
a. Navigate to https://
b. Paste your CSR and click submit
c. Select “Base 64 encoded” and download certificate (NOT CERTIFICATE CHAIN)"
d. Navigate to https://
e. Navigate to https://
f. Open the newly downloaded .p7b file, and navigate into the folders until you find a certificate.
g. Export all certificates in the chain by right clicking > All Tasks > Export
h. Click next, check the option “Base-64 encoded X.509 (.CER)” option and click next
i. Select the location of the .cer chain file, and click next
j. Verify the information, and click Finish
Step 4: Import the CA SSL certificate and CA Chain certificate into vSphere
Step 4a: Log in to the vSphere Web GUI
a. Log in to your vSphere web UI, and navigate to Administration > Certificate Management
b. Select “Generate Certificate Signing Request (CSR)”
c. Select “Import and Replace Certificate”
d. Select “Replace with External CA certificate where CSR …..”
e. Browse the respective files
| Property | Value |
|---|---|
| Machine SSL Certificate | Use the file download in 3b (c)
|
| Chain of trusted root certificates | Use the file exported in 3b (i) i. Select the location of the .cer chain file, and click next
|
f: Select “I have backed up vCenter Server and its associated database” and click next
g: Click Finish
Step 5: Verify the certificate is now CA Signed
Conclusion.
By carefully following the steps outlined above, you can successfully reissue a certificate that is CA trusted.