Replacing default certificates in vSphere 6 – Part 2

This is the second blog post in the Replacing default certificates in vSphere 6 series. The first post can be found here.

In this blog post we take a look at how to obtain a CA certificate from the CA authority.

Now that we have a CA up and running and the certificate template create for vSphere 6, we can go ahead and download the CA root certificate which we will be using to generate the signing request for vSphere components.

Login into the CA server through a web browser by pointing it to https://<CA-Server>/certsrv. Then click on the Download a CA certificate, certificate chain, or CRL option.

VC_SSL_Replace_CA_1

In the next window, select the radio button Base 64 and click on Download CA certificate chain.

VC_SSL_Replace_CA_2

This will save the certificate in the p7b format. Save it, open it with the certificate viewer tool and then export it to the .cer format. the p7b is a chain and cannot be used in the process of signing the request or replacing the certificates.

VC_SSL_Replace_CA_3

VC_SSL_Replace_CA_4

This has to be saved at a location (C:\Certs in our case) so we can use this later. This folder is created on the PSC machine as we will be replacing the certificates in PSC and then proceeding on to the vCenter server.

VC_SSL_Replace_CA_5

NOw we can proceed to the next step which is generating the signing requests for the PSC and getting them signed by the CA authority.

 

Leave a Reply