Replace machine certificate in vSphere 7

Replace machine certificate in vSphere 7

Compared to posts that describe the same task in older versions, this will be a rather short one. Specially replacing vCenter certificates was getting more and more easier during versions. It has never been that easy!

In vCenter 7 we just have one certificate to manage. Solution Certificates are gone, respectively are deprecated in 7.0 . You can also see in CLI certificate-manager. See welcome screen in 6.7 and 7.0:

Replace_Cert_15

In vSphere 7.0 there is also a new GUI to replace this certificate. This post will explain the steps to replace vCenter certificate by a certificate signed by a Windows CA.

Steps for replacement

  1. Create an CSR (Certificate Signing Request) for the new certificate.To do so, go to Menu –> Administration –> Certificate Management and in press on ACTIONS in __MACHINE_CERT box:Replace_Cert_05Select Generate Certificate Signing Request (CSR). Fill in requested data. Make sure to enter FQDN and short hostname (comma separated) of vCenter in Subject Alternative Name. This is because current browsers check this values to compare with actually hostname.Replace_Cert_06When pressing next, you have the option to copy request to clipboard and to download it.Replace_Cert_07

    Download the file for usage in next step. Here: C:\Cert\vcsa.csr
  2. Create new certificate in Windows CA
    Up to now I used the Windows CA Web Enrollment Site (https://CA_hostname/certsrv/) for this task. But I was told this isn’t maintained by Microsoft any more. So I switched to a supported method: command line. Normally this can be done by using MMC, but doing so, you cannot define the certificate template to use (see Notes). Therefore I use the command: certreq. Full command to use Web Server template:

    certreq.exe -submit -attrib "CertificateTemplate:WebServer" "C:\Cert\vcsa.csr"

    This command will open a Save Certificate window. I use: C:\Cert\vcsa-cert.cer

  3. Export CA root certificate
    Last piece we need is the CA root certificate (including existing chain). To get this (I also used Web Enrollment Site for this) we can use command line again. To export CA root certificate, run this command on CA computer:

    certutil -ca.cert c:\Cert\root-cert.cer

    Unfortunately we use another format (BASE64 – which is human readable). Therefore run this command to convert format:

    certutil -encode c:\Cert\root-cert.cer c:\Cert\root-cert-base64.cer

  4. Replace certificate
    Last step is to use the new wizard for certificate replacement. Now click on ACTIONS in __MACHINE_CERT box and select Import and Replace Certificate.
    Replace_Cert_08
    Select Replace with certificate generated from vCenter server. This sounds misleading, but is meant for the case, vCenter created the CSR that is used to create the certificate. And this is exactly what we did. With this option we do not need a private key because this is created during CSR creation.

    On next page, select appropriate files:
    replace machine certificate vSphere 7
    Machine SSL Certificate –> vcsa-cert.cer
    Chain of trusted root certificates –>root-cert-base64.cer

    When everything works fine, all vCenter services will be restarted and you see this:
    Replace_Cert_10
    After a few minutes you should be able to login to vCenter again.

Notes

  • After this procedure, you also see a new Trusted Root Certificate, which is CA root certificate.
  • If you try to replace certificate this way without creation of a CSR, you will see this error:
    Replace_Cert_11
    [Error occurred while fetching tls: Certificate not found for given ID (Certificate is not valid)]
  • To keep this workflow simple, you have to use the CSR to create the certificate. And you have to use this certificate for replacement. You must not create another CSR between certificate-creation and replacement. If you do so, you will see this error:
    Replace_Cert_12
    [Error occurred while fetching tls: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)]

    This is because by creating a CSR, a private key will also be created. When you do another CSR creation after certificate-creation, private key does not fit anymore.

  • If you try to issue certificate in Microsoft Certificate Authority GUI (MMC) you will get the following error – because of missing template information (See Step 2).
    Replace_Cert_14
    [The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.]
  • Even when replacement works fine it could be that your browser shows certificate issues. This is a browser topic. For example Chrome do not like SHA1.
    Replace_Cert_13
    Same certificate is OK for Internet Explorer
  • [Update] When you search for the private key in VCSA during this process, read here to learn more. Post is for 6.7.
  • [Update] If you run a intermediate CA that enrolls your certificate, you need to create a certificate chain for root CA. This chain must include root and intermediate CA certificate. You can simple copy .cer-file content of root and intermediate CA certificate into a single text file. I normally use the file extension .pem. Create this file in step 3.
    If root certificate is not in chain during replacement, you will get the error:

    [Error occured while fetching tls: the trustAnchors parameter must be non-empty]

29 responses to “Replace machine certificate in vSphere 7”

  1. roydfreeman says:

    Your blog mentions that Solution User certificates have gone in 7.0 but they’re still in the 7.0 documentation (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-3AF7757E-A30E-4EEC-8A41-28DA72102520.html).

    Please could you clarify?
    Thanks

  2. Tony Hall says:

    Hi,

    How do you fix this error you have described above?

    Error occurred while fetching tls: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)]

    Thanks

    • vNote42 says:

      Hi Tony!
      You should do these steps:
      1. create a CSR,
      2. create a Certificate using this CSR.
      When you did not create a CSR or you re-created a CSR and try to install the certificate that is based on the first CSR, you will get this error.
      When you create a CSR a private key is created as well. The certificate you try to install must match this key!
      I hope this helps.
      Regards
      Wolfgang

      • Tony Hall says:

        Thanks for the very prompt reply.

        I have been confused by certificate use for sometime because there seems to be contradictory advice. For example in VMware KB 2112014 it says

        “When using an external CA, the MACHINE_SSL_CERT needs to contain all certificate starting from root, like:
        machine_ssl.cer: This is a complete chain of leaf + intermediateCAs(if applicable) + rootCA
        Root64.cer: This is a chain of intermediateCAs(if applicable) + RootCA”

        regards

        Tony

        • vNote42 says:

          Hi Tony!

          This is true, the certificate you want to install must include the whole chain as well. In GUI you can put in machine- and root (incl chain) separately (Step: 4. Replace certificate). When you install certificate using CLI, just one file can be installed. In this case, certificate and chain needs to be copied into one file.

          Regards
          Wolfgang

  3. Simon Shaw says:

    This is straightforward but still not easy.
    We should be able to easily import wildcard certs, tie directly to Windows CA server etc. Lot of room for improvement I think.

  4. Maik says:

    Hello,

    I followed this blog and commands and end up with this error:

    Error occurred while fetching tls: the trustAnchors parameter must be non-empty

    Do someone know a solution for this?

    Many thanks
    Best regards
    Maik

    • vNote42 says:

      At which step do you get this error?

      • Maik says:

        When i entered the “machine ssl certificate” and “chain of trusted root certificate” and hit “Replace” back on the main page.

        • Jay says:

          Anyone figure this out? I am stuck in the same spot.

          • Maik says:

            Hello
            In my Case i copied my certificates of the chain in a file and used this file for “chain of trusted root certificate”.
            At my first try the chain was in wrong order so i swapt it and it worked.

            Hope that helps.
            Best regards
            Maik

  5. Dino says:

    I also get:

    Error occurred while fetching tls: the trustAnchors parameter must be non-empty

    cannot find a sollution at all…does anyone have any clue?

    Dino

  6. Paul N. says:

    So I performed a VCSA upgrade from 6.5 to 7.0 then migrated the settings in phase 2 from my old vCenter to the new vCenter. Everything worked fine, however the new vCenter is named slightly different from the old vCenter. This caused me to get the following message “Error occurred while fetchilt tls: Invalid input certificate: The Subject of the provided certificate does not contain the correct CN value”. Any ideas on that? Maybe it doesn’t like my new vCenter’s name?

  7. bystand says:

    Thanks for the article, I it weird I find no vmware kb on this.
    For those with less experience with vSphere, can you change “To do so, go to Menu –> Certificate Management” to say full path there? It is Menu -> Administration -> Certificates -> Certificate Management.

  8. Reinhard says:

    Hi,
    I tried to replace as described, but I get this error, when pushing the replace button:
    error occurred while fetching tls: string index out of range: -1

    Did anyone get this error?
    Thank you

  9. Monty says:

    Thanks for writing simple instructions that VMWare seems incapable of typing!!

  10. Wayne says:

    Beautiful, I was getting mixed up using the web interface, wasn’t sure what was vcsa cert and what was root. The command line made it way easier. Thanks!

  11. Øystein Kleppestrand says:

    I think i am lacking some understanding of how certificate and chains work.

    I have followed instructions and created two certificates.
    But i get this error metioned in Update section when i run the Replace procedure in vCenter
    [Error occured while fetching tls: the trustAnchors parameter must be non-empty]

    Can someone explain to me how the root and intermediate CA certificate works?

    (Running vcenter 7.0.3 on 6.5 esxi hosts)

    • vNote42 says:

      Hi!

      Simply said, a certificate chain contains each certificate from the root to the last issuing certificate authority (CA). Normally there is a root CA and intermediate CAs. Root trusts intermediate and vice versa.
      https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/

      A valide chain contains the certificate of each intermediate CA and the certificate of the root CA. In the context here it means you copy and past each certificate (root and intermediates) of the chain into a single file.

      Hope this helps your understanding.

Leave a Reply

Your email address will not be published. Required fields are marked *