How to do it...

The following steps will help you to make VCMA act as an intermediary for issuing trusted certificates in your environment:

  1. SSH (putty) into the VCSA as root.
  2. Change the default shell to bash to allow file transfers using WinSCP.
  3. Make a temporary directory to store the certificate requests and certificates:
# mkdir /tmp/certs
  1. Start the certificate manager utility, /usr/lib/vmware-vmca/bin/certificate-manager, and use option 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates

  1. Use option 1Generate Certificate signing Request(s) and Key(s) for VMCA Root Signing Certificate to the CSRs and the key. Here is a list of essential prompts:
    • Enter proper value for 'Name' [Previous value: CA]: FQDN/host name of the node
    • Enter proper value for 'Hostname': FQDN of the node
    • Enter proper value for VMCA 'Name'FQDN of the node

  1. Do not exit the certificate-manager or close the SSH session yet.
  2. Start another SSH session on the VCSA and verify the /tmp/certs directory. It will contain a .csr and a .key file. Use WinSCP to copy the file onto your desktop or jumpbox:                    

  1. Connect to your PKI certificate server portal and download the CA root certificate. 
  2. Generate a new certificate from your PKI using the vmca_issued_csr.csr CSR.
  3. Create a CSR chain by combining the root CA certificate and the newly generated certificate in the following order:
-----BEGIN CERTIFICATE-----
Newly generated certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RootCA Certficate
-----END CERTIFICATE-----
  1. Copy the CSR chain certificate into the VCSA's /tmp/certs directory using WinSCP:

  1. Continue with the utility and select Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing Certificate. Provide full paths to the new certificate and key files:

  1. Once the operation is complete, it will indicate the same and automatically exit the certificate-manager tool:

This completes the process of replacing vCenter/PSC certificates by making the VCMA a subordinate certificate authority.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset