The following steps will help you to make VCMA act as an intermediary for issuing trusted certificates in your environment:
- SSH (putty) into the VCSA as root.
- Change the default shell to bash to allow file transfers using WinSCP.
- Make a temporary directory to store the certificate requests and certificates:
# mkdir /tmp/certs
- Start the certificate manager utility, /usr/lib/vmware-vmca/bin/certificate-manager, and use option 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates:
- Use option 1. Generate Certificate signing Request(s) and Key(s) for VMCA Root Signing Certificate to the CSRs and the key. Here is a list of essential prompts:
-
- Enter proper value for 'Name' [Previous value: CA]: FQDN/host name of the node
- Enter proper value for 'Hostname': FQDN of the node
- Enter proper value for VMCA 'Name': FQDN of the node
- Do not exit the certificate-manager or close the SSH session yet.
- Start another SSH session on the VCSA and verify the /tmp/certs directory. It will contain a .csr and a .key file. Use WinSCP to copy the file onto your desktop or jumpbox:
- Connect to your PKI certificate server portal and download the CA root certificate.
- Generate a new certificate from your PKI using the vmca_issued_csr.csr CSR.
- Create a CSR chain by combining the root CA certificate and the newly generated certificate in the following order:
-----BEGIN CERTIFICATE-----
Newly generated certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
RootCA Certficate
-----END CERTIFICATE-----
- Copy the CSR chain certificate into the VCSA's /tmp/certs directory using WinSCP:
- Continue with the utility and select Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing Certificate. Provide full paths to the new certificate and key files:
- Once the operation is complete, it will indicate the same and automatically exit the certificate-manager tool:
This completes the process of replacing vCenter/PSC certificates by making the VCMA a subordinate certificate authority.