Replace machine certificate in vSphere 7
Compared to posts that describe the same task in older versions, this will be a rather short one. Specially replacing vCenter certificates was getting more and more easier during versions. It has never been that easy!
In vCenter 7 we just have one certificate to manage. Solution Certificates are gone, respectively are deprecated in 7.0 . You can also see in CLI certificate-manager. See welcome screen in 6.7 and 7.0:
In vSphere 7.0 there is also a new GUI to replace this certificate. This post will explain the steps to replace vCenter certificate by a certificate signed by a Windows CA.
Steps for replacement
- Create an CSR (Certificate Signing Request) for the new certificate.To do so, go to Menu –> Administration –> Certificate Management and in press on ACTIONS in __MACHINE_CERT box:Select Generate Certificate Signing Request (CSR). Fill in requested data. Make sure to enter FQDN and short hostname (comma separated) of vCenter in Subject Alternative Name. This is because current browsers check this values to compare with actually hostname.When pressing next, you have the option to copy request to clipboard and to download it.
Download the file for usage in next step. Here: C:\Cert\vcsa.csr
- Create new certificate in Windows CA
Up to now I used the Windows CA Web Enrollment Site (https://CA_hostname/certsrv/) for this task. But I was told this isn’t maintained by Microsoft any more. So I switched to a supported method: command line. Normally this can be done by using MMC, but doing so, you cannot define the certificate template to use (see Notes). Therefore I use the command: certreq. Full command to use Web Server template:
certreq.exe -submit -attrib "CertificateTemplate:WebServer" "C:\Cert\vcsa.csr"
This command will open a Save Certificate window. I use: C:\Cert\vcsa-cert.cer
- Export CA root certificate
Last piece we need is the CA root certificate (including existing chain). To get this (I also used Web Enrollment Site for this) we can use command line again. To export CA root certificate, run this command on CA computer:
certutil -ca.cert c:\Cert\root-cert.cer
Unfortunately we use another format (BASE64 – which is human readable). Therefore run this command to convert format:
certutil -encode c:\Cert\root-cert.cer c:\Cert\root-cert-base64.cer
- Replace certificate
Last step is to use the new wizard for certificate replacement. Now click on ACTIONS in __MACHINE_CERT box and select Import and Replace Certificate.
Select Replace with certificate generated from vCenter server. This sounds misleading, but is meant for the case, vCenter created the CSR that is used to create the certificate. And this is exactly what we did. With this option we do not need a private key because this is created during CSR creation.
On next page, select appropriate files:
Machine SSL Certificate –> vcsa-cert.cer
Chain of trusted root certificates –>
When everything works fine, all vCenter services will be restarted and you see this:
After a few minutes you should be able to login to vCenter again.
- After this procedure, you also see a new Trusted Root Certificate, which is CA root certificate.
- If you try to replace certificate this way without creation of a CSR, you will see this error:
Error occurred while fetching tls: Certificate not found for given ID (Certificate is not valid)]
- To keep this workflow simple, you have to use the CSR to create the certificate. And you have to use this certificate for replacement. You must not create another CSR between certificate-creation and replacement. If you do so, you will see this error:
Error occurred while fetching tls: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)]
This is because by creating a CSR, a private key will also be created. When you do another CSR creation after certificate-creation, private key does not fit anymore.
- If you try to issue certificate in Microsoft Certificate Authority GUI (MMC) you will get the following error – because of missing template information (See Step 2).
[The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.]
- Even when replacement works fine it could be that your browser shows certificate issues. This is a browser topic. For example Chrome do not like SHA1.
Same certificate is OK for Internet Explorer
- [Update] When you search for the private key in VCSA during this process, read here to learn more. Post is for 6.7.
- [Update] If you run a intermediate CA that enrolls your certificate, you need to create a certificate chain for root CA. This chain must include root and intermediate CA certificate. You can simple copy .cer-file content of root and intermediate CA certificate into a single text file. I normally use the file extension .pem. Create this file in step 3.
If root certificate is not in chain during replacement, you will get the error:
[Error occured while fetching tls: the trustAnchors parameter must be non-empty]