Secure access to VMware vCenter Server (VCSA) over HTTPS (in a multi-site infrastructure) on VMware vSphere 6.7

8. Renew SSL certificates used internally by VMware vSphere (optional)

On your 1st VMware vCenter Server (VCSA), you can renew certificates used internally by clicking the "Renew All" link next to "Solution Certificates".

The message “Success, 4 certificates renewed” appears.

Do the same on your 2nd VMware vCenter Server (VCSA).

The message “Success, 4 certificates renewed” appears.

9. Export the certificate of your certification authorities

So that the new certificates for your VMware vCenter Servers (VCSA) can be used without any problem, you must add the certificate of your certification authorities in the "Trusted Root Certification Authorities" section of them.
To do this, start by exporting the certificate of your root certification authority.

You can find it on your root certificate authority (although it is likely offline if you have followed Microsoft best practices) or in the "Trusted Root Certification Authorities" certificate store on any computer or server who already trusts it.
To export it, simply right-click "All Tasks -> Export" on this certificate.

Export it in "base 64 (*.cer)" format.

Choose where and under what name you want to export it.

Next, export your secondary certificate authorities' certificate from the "Intermediate Certification Authorities" certificate store on that same computer or server.

Once the certificates are exported, you will get this.

In our case :

• iw-brux-sub-ca.cer: the certificate from our secondary certification authority in Brussels
• iw-brux-paris-ca.cer: the certificate from our secondary certification authority in Paris
• iw-root-ca.cer: the certificate of our autonomous root certification authority (which in our case is located at our company headquarters in Brussels)

10. Add your certificate authorities' certificate to your vCenter Server's trusted root certificates (VCSA)

Now that you have the public certificates for your certificate authorities, go to your vCenter Server Certificate Management (VCSA) and add them to the "Trusted Root Certificates" section.

On each of your VMware vCenter Servers (VCSA), add your standalone root certificate authority certificate.

Next, on each of your VMware vCenter Server (VCSA) servers, add the certificate of your 1st secondary certificate authority.

As well as that of the 2nd secondary certification authority.

In fact, your 2 VMware vCenter Server (VCSA) servers share the same VMware vSphere SSO domain (vsphere.local) thanks to ELM mode.
However, given that the certificates of your 2 servers ("brux-vcsa" and "paris-vcsa" in our case) are signed by different secondary certification authorities, we recommend that you add the certificates of these 2 secondary certification authorities to avoid having problems connecting to VCSA later.

On our first VMware vCenter Server (VCSA) we have 5 approved certificates:

• the certificate of the “VMCA” certification authority of your VMware vCenter Server (VCSA).
• the certificate of the "VMCA" certification authority of the remote VMware vCenter Server (VCSA) linked to yours using ELM mode.
• the certificate of your standalone root certification authority (in our case: InformatiWeb Root CA (Brux)).
• the certificate of your 2 secondary company certification authorities (in our case: InformatiWeb Sub CA (Brux) and InformatiWeb Sub CA (Paris)).

If you click on the "View details" link for the last 3 certificates visible above, you will see that this is the certificate for your standalone root CA.
In our case: InformatiWeb Root CA (Brux).

The certificate from your 1st enterprise secondary certificate authority.
In our case, that of our secondary certification authority "InformatiWeb Sub CA (Brux)" which was issued by our standalone root certification authority "InformatiWeb Root CA (Brux)".

The certificate from your 2nd secondary enterprise certificate authority.
In our case, that of our secondary certification authority "InformatiWeb Sub CA (Paris)" which was issued by our standalone root certification authority "InformatiWeb Root CA (Brux)".

11. Update the SSL certificate used by VMware vCenter Server (VCSA)

For changes to the various certificates of your VMware vCenter Server (VCSA) to take effect, you must restart your VCSA server.
However, to make this faster, we recommend restarting only the VCSA services rather than restarting the virtual machine from your VMware ESXi host.

To do this, connect to your 2 VMware vCenter Server (VCSA) servers via SSH and access the Linux Shell by typing:

Plain Text

shell

Then restart all VCSA services using the commands:

Bash

service-control --stop --all
service-control --start --all

Warning : if you use the "Mozilla Firefox" web browser, be aware that it uses a certificate store different from that of your computer or server.
You will therefore have to import the certificate of your different certification authorities (the root CA and the secondary CAs) so that it can consider the certificates emanating from your certification authorities as valid (if this is the case).

Once you reconnect to one of your VMware vCenter Servers (VCSA), you will see an error and warnings appear.

Plain Text

Certificate status.
VMware vAPI Endpoint Service Health Alarm
vCenter Server Health Alarm

This is due to the change of the machine certificate of your VMware vCenter Server (VCSA), as well as the restart of this VCSA server.

Click the "Reset to Green" links to ignore this error and warnings and stop them from appearing.

Note that your web browser no longer displays a warning about your VMware vCenter Server (VCSA) certificate.

If we check the certificate of our server "brux-vcsa" (which is located in Brussels), we can see that it was issued by our secondary certificate authority "InformatiWeb Sub CA (Brux)" (also located in Brussels) .

If we check the certificate of our server "paris-vcsa" (which is located in Paris), we can see that it was issued by our secondary certificate authority "InformatiWeb Sub CA (Paris)" (also located in Paris) .