To submit the certificate request generated from your VMware vCenter Server (VCSA), you will need to connect to your certificate authority's web interface on Windows Server.
To do this, connect to the address "https://[domain name or IP address of the server where the Certification Authority role is installed]/CertSrv".
Which gives in our case "https://ad.informatiweb.lan/CertSrv".
Use the Administrator account for your domain which, by default, is allowed to enroll (generate) certificates using the certificate template created previously.
Otherwise, modify the certificate template created previously and add the desired user in the "Security" tab of it and add the "Read" and "Enroll" rights to it.
If this web interface is not available in your case, it is because the "Certificate Authority Enrollment via Web" role service of the "Active Directory Certificate Services" role is not installed in your case .
If so, install it and refer to the "Install the web interface of the certification authority" step of our tutorial on creating an enterprise root certificate authority (if necessary) .
On the "Microsoft Active Directory Certificate Services - [name of your certificate authority]" web page that appears, click the "Request a certificate" link.
Then click: advanced certificate request.
Paste the certificate request generated by your VMware vCenter Server (VCSA), select the "vSphere 6.x" certificate template created previously and click Submit.
Note: if this model does not appear in your case:
If the operation is successful, the message "Certificate issued" appears.
Select the "Base 64 encoded" option to obtain the certificate in PEM format and click on "Download certificate chain" to obtain the certificate issued for your VMware vCenter Server (VCSA), as well as all parent certificates (the or the various parent certification authorities) to comply with the prerequisites requested by VMware.
Indeed, if a certificate from the chain of trust is missing, the certificate will be considered invalid.
Your web browser will prompt you to download a certificate named: certnew.p7b.
In our case, we saved it under the name: vcsa-cert-full-chain.p7b.
As you can see, Windows 10 recognizes that this is a PKCS #7 certificate.
If you double-click on this ".p7b" file, you will see that this file actually contains all the certificates from the chain of trust necessary to verify the validity of the downloaded certificate.
In our case, it contains 2 certificates:
A little later in this tutorial, you will see that VMware vCenter Server expects a certificate chain in ".cer", ".pem" or ".crt" format.
You will therefore need to convert this ".p7b" file to ".cer" format.
To do this, download OpenSSL, unzip the downloaded file and copy the contents of the "bin" folder into the "C:\OpenSSL" folder that you need to create.
Next, open a command prompt and type this to convert the ".p7b" certificate to ".cer" format:
Batch
cd C:\OpenSSL openssl pkcs7 -print_certs -in C:\Users\Administrator\Downloads\vcsa-cert-full-chain.p7b -out C:\Users\Administrator\Downloads\vcsa-cert-full-chain.cer
Once the OpenSSL command is executed, you will see a new certificate in ".cer" format appear next to the ".p7b" file.
When you generate the certificate signing request (CSR) from the web client "VMware vSphere Client" of your VMware vCenter Server, the private key is generated on the virtual hard disk of this server.
However, this web client does not provide a link to download it easily.
You will therefore need to activate the SSH protocol of your VMware vCenter Server (VCSA) and connect to it via PuTTY (for example) to obtain it from the command line.
Log in as root and use the Linux shell by typing the "shell" command.
Indeed, by default, you are in the shell of the VCSA appliance and not the Linux BASH Shell.
Bash
shell
Then type the command:
Bash
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR
Note: If you have a VMware vCenter Server running Windows Server, simply replace "/usr/lib/vmware-vmafd/bin/vecs-cli" with "vecs-cli.exe" in the command above.
The program "vecs-cli.exe" is located in the folder "C:\Program Files\VMware\vCenter Server\vmafdd".
The private key you need appears.
Copy this text including the beginning "BEGIN PRIVATE KEY" line and the ending "END PRIVATE KEY" line.
Plain Text
-----BEGIN PRIVATE KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxxx... -----END PRIVATE KEY-----
Note: to copy this text with PuTTY, select the text (and leave it selected).
Then open notepad and paste the text (automatically copied when selecting this text in PuTTY).
Save this text file under the name: vcsa-private-key.key.
VMware 11/2/2022
VMware 8/16/2024
VMware 3/6/2024
VMware 10/30/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
No comment