Replacing default certificates in vSphere 6 – Part 1

We all know that SSL certificates enable secure communication between a browser and a web server. During the initial setup, all the VMware components are installed with self-signed certificates and it is a best practice to replace the default certificates with custom CA signed certificates. This process of replacing default certificates in vSphere 6 is very simple compared to the tedious process that was present in the previous versions of vSphere (5.1 and 5.5).

To make it easier to follow, I will be splitting the whole process into smaller parts/ multiple posts.

The first part will cover the creation of CA template on the Active Directory Certificate Server (ADCS). Note that we will not be covering the installation of the CA server itself here. We will start off from the step when we create a specific template for signing the certificates.

To begin with, connect to the CA server through a RDP session using an user who has administrator privilege.

Go to Start > Run and type certtmpl.msc to connect to the template management console on CA. Right-click on the Web server template and select “Duplicate Template” as shown below.

VC_SSL_Replace_Temp_1

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility. Go to General tab and give it a name “vSphere 6.0”.

Leave the validity period default unless you want to change it to more than 2 years.

VC_SSL_Replace_Temp_2

Click on Extensions. Select Application Policies and click Edit. Select Server Authentication and click on Remove.

VC_SSL_Replace_Temp_3

Now select the Key Usage and click Edit. Select the Signature is proof of origin (non-repudiation) option and leave other options as default.

VC_SSL_Replace_Temp_4

Click the Subject Name tab. Ensure that the Supply in the request option is selected. And save the template.

VC_SSL_Replace_Temp_6

Now we have a template that can be used to sign all the vSphere certificates. We will have to go ahead and publish this template to the available certificates templates list.

To do that, we need to login into the CA server using certsrv.msc.

Once the console opens, expand the CA server and Right-click Certificate Templates and Select New > Certificate Template to Issue.

VC_SSL_Replace_Temp_7

Select the vSphere 6.0 template we created in the previous steps.

VC_SSL_Replace_Temp_8

So this completes the steps required to be performed on CA server. We will take a look at how the certificates are replaced in the rest of the upcoming posts.

There is a VMware article which explains this procedure. The link for the same can be found here.

 

One comment Add yours

Leave a Reply