VMware Cloud Community
nealda
Contributor
Contributor
‎02-09-2022 12:24 PM

New Machine Certificates on VCSA PSCs Missing Trust Anchors

Hi, All.

The task that I've taken on is to replace the default VMCA root certificates in our vSphere environment with intermediate certificates signed by our company CA (followed by replacing machine and solutions certs.) I'm using the Certificate Manager utility as described in the documentation here.

My environment looks like this (all nodes are VCSA 6.7U3o -- will be 6.7U3q this weekend)

vSphere Managment Nodes.png

 

Yep. External PSCs are depricated but that's our current setup.

Each PSC is a VMCA so there are four root certs that I need to replace with intermediate certs. I've generated all the intermediate certs and replaced them along with the machine and solution certs on the four PSCs. There were no errors and the Certificate Management tool reported successful replacements each time.

However, when I connect to the hosts' DCUIs, the PSC nodes show incomplete certificate chains with missing trust anchors (intermediate and root certs.)   Screenshot:

PSC2 Cert.png

The solution certificate for the Web Client SSO looks good, though.

Web Client Cert.png

Searching for a solution, I found the same problem when replacing the ESXi host certificates, but the workaround (here) doesn't translate to the VCSA platform.

Is there a way to fix this on the VCSA machine certs before I plow forward to the vCenters and ESXi hosts?

Thanks.

-David

Labels (1)
Labels
Tags (2)
0 Kudos
1 Reply
nealda
Contributor
Contributor
‎08-04-2022 08:52 AM

I have an update to this that will probably benefit none but the highly curious.

The documentation spells it out but its easy to miss and somewhat odd.

"In a multi-node deployment that uses VMCA as an intermediate CA, you have to replace the machine SSL certificate explicitly. First you replace the VMCA root certificate on the Platform Services Controller node, and then you can replace the certificates on the vCenter Server nodes to have the certificates signed by the full chain. You can also use this option to replace machine SSL certificates that are corrupt or about to expire."   <https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-C91AFFAD-A830-4BBE-BF7C-F779A3...

Sure enough, the machine certs for the PSCs are incomplete until you apply the machine certs to the vCenters. Then the full chain gets back-filled on the PSCs. Kind of odd, but working as designed I guess.

0 Kudos