Hello,
We are running vSphere 6.5 with the vCenter Appliance and external PSCs across two sites. Each site has two PSCs and we have VCHA configured on the vCenter Server Appliances. We need to change the certificate mode from the default VMCA to Custom. The recommended workflow is detailed in the vSphere security documentation:
Certificate Mode Switch Workflows
~~~~~~~~~~~~~~~~~~~~~~~~~~
If your company policy requires that you use a different root CA than VMCA, you can switch the certificate mode in your environment after careful planning. The recommended workflow is as follows.
1. Obtain the certificates that you want to use.
2. Remove all hosts from vCenter Server.
3. Add the custom CA's root certificate to VECS (VMware Endpoint Certificate Store).
4. Deploy the custom CA certificates to each host and restart services on that host.
5. Switch to Custom CA mode. See Change the Certificate Mode.
6. Add the hosts to the vCenter Server system.
~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm trying to go through the "careful planning" stage now, but am confused by step 2. Is it required to remove all of the hosts from vCenter to change the mode? In the one youtube video, it seemed as simple as change the value and bounce the services. I would think I could change the mode, and then just swap certificates on hosts and bounce them one at a time.
If it is in fact necessary to remove the hosts, can I do so without blowing away my distributed switches?
Also, will the VCHA handle the certificate change, or do I need to destroy VCHA, swap the certificate, and then redeploy?
Thanks for the input,
Ben
Question 1: Do i need to remove all the hosts from VC to replace with custom certificates
Answer: No, it is not required to remove the Hosts from VC to replace with custom certificates.
Question 2: Customer Certs on VCHA
Answer:
Please go through below link which is official document from vmware for more details:
Set Up Your Environment to Use Custom Certificates
Copy pasting the info from above link:
--------------------------------
The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.
If possible, replace certificates in the vCenter Server Appliance that will become the Active node before you clone the node.
--------------------------------
-Sridhar
Regarding VCHA certificates replacement:
1) You need to destroy the VCHA and remove witness and passive node
2) Replace the certificates on deployed node
3) and redeploy VCHA
This is safest way of replace certificates with VCHA.
Other way is to replace certificates in all nodes(passive,witness and active) but I don't think this is safest way since most of the services would not be running in case of witness and passive node,
we end up replacing certificates for only those services which are up and running in passive and witness node and fail-over might not happen later.
These are just my thoughts,not tested in my lab setup.
Question 1: Do i need to remove all the hosts from VC to replace with custom certificates
Answer: No, it is not required to remove the Hosts from VC to replace with custom certificates.
Question 2: Customer Certs on VCHA
Answer:
Please go through below link which is official document from vmware for more details:
Set Up Your Environment to Use Custom Certificates
Copy pasting the info from above link:
--------------------------------
The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.
If possible, replace certificates in the vCenter Server Appliance that will become the Active node before you clone the node.
--------------------------------
-Sridhar
Hi Sridhar,
Thanks, I hadn't seen that link with regard to VCHA. That clears that part up.
Your note about not needing to remove the hosts, is that also for changing the certificate mode?
Thanks!
Ben
Yes, it for custom certificates also, actually no need to remove hosts from vCenter.
-Sridhar
If all your queries are resolved then please mark this query as answered.