Replacing default certificates in vSphere 6 – Part 3

This is the third blog post in the Replacing default certificates in vSphere 6 series. The first post can be found here. The second is here.

In this bog post we will take a look at replacing the certificates on the External Platform Services Controller (PSC) server.

Before we get into the details, let us make sure the external PSC is installed on a windows server.

VC_SSL_Replace_2

Select the vCenter for Windows option and install the external PSC.

VC_SSL_Replace_3

Since this is a blog series on the certificate replacement, we will skip the installation bit of it and move on to next steps.

VC_SSL_Replace_4

Post installation, we need to navigate to the location “C:\Program Files\VMware\vCenter Server\vmcad

VC_SSL_Replace_5

Once in the location, launch the certificate-manager tool which comes in-built from vCenter 6.0. This tool automates the process of generating the cert request for signing and also updates the certificates for VC and PSC. Choose option 1 (Replace Machine SSL certificates with custom certificates)

VC_SSL_Replace_6

Now choose option 1 again to generate signing request and key for machine SSL certificates. Now input the location where these cert requests and the key will be placed. We will use “C:\Certs“.

VC_SSL_Replace_8

Enter all the details for the certificate to be generated with as shown in the next window.

VC_SSL_Replace_9

Now enter the details for SSO administrator user and password.

VC_SSL_Replace_7

We can navigate to “C:\Certs” and check for the generated files. We will see two files. CSR and .Key. Do not close the command window.

VC_SSL_Replace_10

The next step involves getting the CSR signed by a certificate authority (CA). We will have to login into the CA server and click on “Request a certificate”

VC_SSL_Replace_11

Now click on advanced certificate request.

VC_SSL_Replace_13

Open the csr file and copy all the content without any spaces.

VC_SSL_Replace_12

Paste the content copied from the csr file into the empty space in the cert request. Select the certificate template which we created in our first blog post and click submit.

VC_SSL_Replace_14

Now download the signed certificate in Base 64 encoded format.

VC_SSL_Replace_15

Save this under C:\Certs.

VC_SSL_Replace_16

Come back to the command window (I had to switch to powershell for some compatibility reasons). Click on option 1 which will continue the importing of these signed certificates.

VC_SSL_Replace_17

Provide the location for the newly generated signed certificate, the Key file generated initially and CA certificate obtained in the previous post.

VC_SSL_Replace_18

Once this is input, the tool automatically updates all the services with the new certificates.

VC_SSL_Replace_19

Once this process is complete we can point the browser to the PSC URl and make sure the new certificate has been picked up. A reboot might be required.

VC_SSL_Replace_20

The next step is to replace the certificate for the VC server.

Leave a Reply