Replacing vCenter’s Self-Signed Certificate

Replacing vCenter’s self-signed certificate is not that difficult, and there are some steps that can make it a little bit easier.

Some actions are easier to do via command line, if there’s only a few variables that need to be changed. So I used openssl to create a certificate request that includes 3 subject alternative names, then Windows certreq to send the request to my CA and retrieve the approved certificate.

To create a certificate request with multiple subject alternative names, we need to use openssl and call a configuration file.

Here is the config file I created for my vCenter:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
countryName = US
stateOrProvinceName = Alaska
localityName = Anchorage
organizationName = incendiary
commonName = vcenter.incendiary.local

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = vcenter.incendiary.local
DNS.2 = vcenter
DNS.3 = 192.168.1.100

Now we use openssl to generate the request and call the config file:

C:\OpenSSL\bin>openssl req -config csr_san.cfg -new -sha256 -nodes -out vcenter.csr -newkey rsa:2048 -keyout vcenterprivkey.key

That creates the certificate request vcenter.csr and generates the private key file vcenterprivkey.key

If that worked properly, you should get an output similar to:

 Generating a RSA private key
 ...........................................................+++++
 .............................................+++++
 writing new private key to 'vcenterprivkey.key'
 ----- 

Now we need to send the certificate request to our certificate authority. We can use Windows certreq to do this:

C:\OpenSSL\bin>certreq -binary -submit -attrib "CertificateTemplate:WWWServerCustom" -config rogue.incendiary.local\incendiary-rogue-ca C:\OpenSSL\bin\vcenter.csr C:\OpenSSL\bin\vcenter.cer 

-attrib “CertificateTemplate:WWWServerCustom” designates which certificate template to use from the certificate authority.
-config rogue.incendiary.local\incendiary-rogue-ca designates which certificate authority to send the request to.
Then we provide the request file and filename plus location to save the issued certificate.

To find the CA name, if you don’t know it, you would need to launch the certificate authority MMC for the CA and it would be displayed.

To find the template name, again that would be found from the certificate authority MMC on the cert authority, and then manage templates.

Now we will also need to provide the certificate chain to vCenter. If it’s a homelab, it might not be a chain if it’s just the one certificate authority server.
You would need to export the certificate in Base-64 format.

To install the certificates on to vCenter, that’s all done through the normal vCenter web interface.
Log in to vCenter, then go to Menu and Administration.

From Administration, select Certificate Management

Now we enter the details of the vCenter server we want to manage certificates for. Do not use localhost here, use the actual vCenter’s FQDN then appropriate credentials.

Scroll down to the bottom, and we should see Trusted Root Certificates. We need to select Add, to install our Windows CA certificate chain.

Browser for the certificate chain.

Select the certificate chain we exported above.

Then hit Add.

We should now have 2 Trusted Root Certificates listed.

Now scroll back up to the top. Under Machine SSL Certificate select the Actions drop-down and select Replace.

Here, we need to provide both the new vCenter certificate and accompanying private key.

So select those, then click Replace.

At this point, we need to reboot the vCenter appliance for the new certificate to get used. Log in to the management interface, which is on port 5480 by default. Then go to the Actions drop-down and select Reboot.

Then confirm.

After the reboot, there should no longer be a Not Secure notice in the browser.

Reviewing the details of the certificate should also show the subject alternative names that were provided via the config file.

Leave a Reply

Your email address will not be published. Required fields are marked *