networks2264
Contributor
Contributor

6.5 Custom Certificate Mode

Jump to solution

Hello,

We are running vSphere 6.5 with the vCenter Appliance and external PSCs across two sites. Each site has two PSCs and we have VCHA configured on the vCenter Server Appliances. We need to change the certificate mode from the default VMCA to Custom. The recommended workflow is detailed in the vSphere security documentation:

Certificate Mode Switch Workflows

~~~~~~~~~~~~~~~~~~~~~~~~~~

If your company policy requires that you use a different root CA than VMCA, you can switch the certificate mode in your environment after careful planning. The recommended workflow is as follows.

1. Obtain the certificates that you want to use.

2. Remove all hosts from vCenter Server.

3. Add the custom CA's root certificate to VECS (VMware Endpoint Certificate Store).

4. Deploy the custom CA certificates to each host and restart services on that host.

5. Switch to Custom CA mode. See Change the Certificate Mode.

6. Add the hosts to the vCenter Server system.

~~~~~~~~~~~~~~~~~~~~~~~~~~

I'm trying to go through the "careful planning" stage now, but am confused by step 2. Is it required to remove all of the hosts from vCenter to change the mode? In the one youtube video, it seemed as simple as change the value and bounce the services. I would think I could change the mode, and then just swap certificates on hosts and bounce them one at a time.

If it is in fact necessary to remove the hosts, can I do so without blowing away my distributed switches?

Also, will the VCHA handle the certificate change, or do I need to destroy VCHA, swap the certificate, and then redeploy?

Thanks for the input,

Ben

0 Kudos
1 Solution

Accepted Solutions
SridharG
VMware Employee
VMware Employee

Question 1: Do i  need to remove all the hosts from VC to replace with custom certificates

Answer: No, it is not required to remove the Hosts from VC to replace with custom certificates.

Question 2: Customer Certs on VCHA

Answer:

Please go through below link which is official document from vmware for more details:

Set Up Your Environment to Use Custom Certificates

Copy pasting the info from above link:

--------------------------------

The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.

About this task

If possible, replace certificates in the vCenter Server Appliance that will become the Active node before you clone the node.

Procedure

  1. Edit the cluster configuration and select Remove.
  2. Delete the Passive node and the Witness node.
  3. On the Active node, which is now a standalone vCenter Server Appliance, replace the machine SSL Certificate with a custom certificate.See the Platform Services Controller Administration documentation.
  4. Reconfigure the cluster.

--------------------------------

-Sridhar

If it is useful, plz mark answer as correct or helpful.
----------------------------------------------------------------
Thanks & Regards
Sridhar Gattu,
VCP55, RHCE 6.0.
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed, or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.

View solution in original post

4 Replies
Madhuin
VMware Employee
VMware Employee

Regarding VCHA certificates replacement:

1) You need to destroy the VCHA and remove witness and passive node

2) Replace the certificates on deployed node

3) and redeploy VCHA

This is safest way of replace certificates with VCHA.

Other way is to replace certificates in all nodes(passive,witness and active) but I don't think this is safest way since most of the services would not be running in case of witness and passive node,

we end up replacing certificates for only those services which are up and running in passive and witness node and fail-over might not happen later. 

These are just my thoughts,not tested in my lab setup.

SridharG
VMware Employee
VMware Employee

Question 1: Do i  need to remove all the hosts from VC to replace with custom certificates

Answer: No, it is not required to remove the Hosts from VC to replace with custom certificates.

Question 2: Customer Certs on VCHA

Answer:

Please go through below link which is official document from vmware for more details:

Set Up Your Environment to Use Custom Certificates

Copy pasting the info from above link:

--------------------------------

The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.

About this task

If possible, replace certificates in the vCenter Server Appliance that will become the Active node before you clone the node.

Procedure

  1. Edit the cluster configuration and select Remove.
  2. Delete the Passive node and the Witness node.
  3. On the Active node, which is now a standalone vCenter Server Appliance, replace the machine SSL Certificate with a custom certificate.See the Platform Services Controller Administration documentation.
  4. Reconfigure the cluster.

--------------------------------

-Sridhar

If it is useful, plz mark answer as correct or helpful.
----------------------------------------------------------------
Thanks & Regards
Sridhar Gattu,
VCP55, RHCE 6.0.
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed, or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.
networks2264
Contributor
Contributor

Hi Sridhar,

Thanks, I hadn't seen that link with regard to VCHA. That clears that part up.

Your note about not needing to remove the hosts, is that also for changing the certificate mode?

Thanks!

Ben

0 Kudos
SridharG
VMware Employee
VMware Employee

Yes, it for custom certificates also, actually no need to remove hosts from vCenter.

-Sridhar

If all your queries are resolved then please mark this query as answered.

If it is useful, plz mark answer as correct or helpful.
----------------------------------------------------------------
Thanks & Regards
Sridhar Gattu,
VCP55, RHCE 6.0.
-----------------------------------------------------------------
Disclaimer: Any views or opinions expressed here are strictly my own. I am solely responsible for all content published here. Content published here is not read, reviewed, or approved in advance by VMware and does not necessarily represent or reflect the views or opinions of VMware.
0 Kudos