By default, web access to your VMware vCenter Server (VCSA) is protected with an SSL certificate that is issued by a "VMCA" certification authority that is not recognized by your computer.
To find out more, refer to our previous tutorial: VMware vSphere 6.7 - Secure access to VMware vCenter Server (VCSA) over HTTPS.
By default, when you access the web interface of your VMware vCenter Server (VCSA), a warning is displayed because the issuer of the certificate used is unknown.
If you click on "Show certificate", you will see that this certificate was issued by: CA vsphere local.
Which corresponds to the VMCA certificate authority automatically created on your VMware vCenter Server (VCSA) during the installation of your server.
You can also check this by going to the VMware vSphere Client menu, then in: Administration -> Certificates -> Certificate Management -> Trusted Root Certificates.
As you can see, the only certificate in this section is that of VMCA whose name is "CA" and which corresponds to the issuer of the certificate used by VMware vSphere Client by default.
To generate a certificate that will be valid for your VMware vCenter Server, you must create a new certificate template on your certificate authority on Windows Server.
To do this, refer to step "3. Create a certificate template for the VMware vCenter Server machine certificate" our previous tutorial.
Once this template has been created and added to the certificate templates to be issued, you will see this new "vSphere 6.x" template appear in the list of certificate templates for your certification authority.
To be able to secure your VMware vCenter Server (VCSA) using the command line, it is obvious that SSH must be enabled on your VCSA server.
To do this, access the "Appliance Management" page by accessing the address: https://[domain name of your VCSA server]:5480/ui/.
Which gives in our case: https://vcsa.informatiweb.lan:5480/ui/.
On the "Appliance Management" page that appears, log in as root, then go to the "Access" section.
The "SSH" access setting must be enabled. If not, click Edit.
Enable the "Enable SSH Login" setting and click OK.
To get started, SSH into your VMware vCenter Server (VCSA).
On Windows you can use PuTTY (for example).
Log in as "root" and use the "shell" command to access the BASH (Linux) shell of your VMware vCenter Server Appliance (VCSA) server.
Indeed, by default, you are in the shell of the VCSA appliance and not that of Linux.
Bash
shell
To get started, create a "certs" folder in the root of your VCSA server where you can later store the certificate request (CSR), associated private key, and necessary certificates.
Bash
mkdir /certs
Next, launch the VCSA (VMware vCenter Server Appliance) certificate manager and choose option 1 (Replace Machine SSL certificate with Custom Certificate).
This will allow you to replace only the certificate protecting the web client (VMware vSphere Client) of your VMware vCenter Server (VCSA).
Bash
/usr/lib/vmware-vmca/bin/certificate-manager
Plain Text
*** Welcome to the vSphere 6.7 Certificate Manager *** -- Select Operation -- 1. Replace Machine SSL certificate with Custom Certificate ... Option[1 to 8]: 1
Specify the credentials of a vCenter account in your vSphere SSO domain that is authorized to perform certificate operations.
For example: the "administrator@vsphere.local" account created by default during the installation of VMware vCenter Server (VCSA).
Plain Text
Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password:
Select option 1 to generate a certificate request for the machine SSL certificate.
Plain Text
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate. Option [1 or 2]: 1
Indicate the path to the "certs" folder created previously.
As instructed by the wizard, the Certificate Request (CSR) and associated private key will be created in this folder.
Plain Text
Please provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /certs
To create the certificate request, you will need to provide the following information:
Once all this information has been entered, you will see that 2 commands will be executed:
As you can see, the generated private key and certificate request (CSR) were created in your folder: /certs.
VMware 10/12/2022
VMware 4/5/2024
VMware 11/15/2024
VMware 7/3/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment