VMware Cloud Community
franckehret
Enthusiast
Enthusiast
‎09-15-2016 04:02 AM

Replace self-signed certificates with intermediate CA certificates

Hello the world Smiley Happy

Kind of a tricky question for me, despite all the googling and further search I didn't find any answer yet...

I've managed to have an intermediate CA properly configured on my VC appliance 6 update 2 (my root CA is my AD integrated CA). The replacement of the certificates run fine and the chain is now looking pretty :smileycool:

But... :smileysilly: I'm still missing certificates which remained self-signed, here is the list :

- VAMI interface (port 5480)

- vSphere "older" web client on port 9443 (443 is fine)

- Update Manager (VUM) which is installed on a Windows server

2 questions then :

- How can you generate the certificates from the intermediate CA (or in details : generate requests from all components + submit them to the intermediate CA)

- How do you replace them (especially for VAMI and the web client on port 9480, for VUM, tehre is a KB)

Any help would be very much appreciated, thanks in advance.

Regards

Reply
3 Replies
Orcunus
Enthusiast
Enthusiast
‎09-16-2016 05:14 AM

You should be ok if you followed VMware procedure during vmca certificate renewal process. When you add an ESXi server to this vCenter, it will automatically generate and install new certificate with the new chain. Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (...

Those are the methods that I use to replace certificates of some components that you mention. I don't see any specific reason to use port 9443 as web client service is reachable behind reverse http proxy. So I did not try to replace it.


Update Manager:

For replacing Update Manager certificate, the official KB for replacing vSphere 6.0 certificates redirects to the procedure used for previous versions (5.5 and 5.1) as quoted below.

Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219) | VMware KB

Peripheral vSphere components

Replace the vSphere Update Manager Certificates. For more information, see Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (203...

VAMI 5480:

I have not found any official guideline for this but this is what I have done and it worked (still this may not be fully supported by VMware). We can use the certificate that we created for the reverse proxy, and use it for vami-lighttpd service.

ORIG_CERT=”/etc/applmgmt/appliance/server.pem”

RHTTPPROXY_CERT=”/etc/vmware-rhttpproxy/ssl/rui.crt”

RHTTPPROXY_KEY=”/etc/vmware-rhttpproxy/ssl/rui.key”

cat $RHTTPPROXY_CERT $RHTTPPROXY_KEY > $ORIG_CERT

We need to edit the configuration file used for vami-lighttpd service.

Config file:                        /opt/vmware/etc/lighttpd/lighttpd.conf

Add or modify line:           ssl.ca-file = “/etc/applmgmt/appliance/vmca.crt”

Copy your certificate file to the folder defined in ssl.ca-file above and name it as vmca.crt

Restart the service (service vami-lighttpd restart)

Hope this helps...

Please consider awarding points for "Correct" or "Helpful" replies. Many thanks....:)

Ozan Orcunus | vExpert

Reply
vmwaresbrf
Contributor
Contributor
‎08-30-2018 12:11 AM

VAMI 5480:

I have not found any official guideline for this but this is what I have done and it worked (still this may not be fully supported by VMware). We can use the certificate that we created for the reverse proxy, and use it for vami-lighttpd service.

ORIG_CERT=”/etc/applmgmt/appliance/server.pem”

RHTTPPROXY_CERT=”/etc/vmware-rhttpproxy/ssl/rui.crt”

RHTTPPROXY_KEY=”/etc/vmware-rhttpproxy/ssl/rui.key”

cat $RHTTPPROXY_CERT $RHTTPPROXY_KEY > $ORIG_CERT

We need to edit the configuration file used for vami-lighttpd service.

Config file:                        /opt/vmware/etc/lighttpd/lighttpd.conf

Add or modify line:           ssl.ca-file = “/etc/applmgmt/appliance/vmca.crt”

Copy your certificate file to the folder defined in ssl.ca-file above and name it as vmca.crt

Restart the service (service vami-lighttpd restart)

Instead of this for VAMI 5480 we can use this script:

/usr/lib/applmgmt/support/scripts/postinstallscripts/lighttpd-vecs-integration.sh

Reply
0 Kudos
DanyDemers
Enthusiast
Enthusiast
‎10-19-2018 12:08 PM

Hi, I'm installing VMCA 6.7 and trying to figure the problem with the certificate for the management user interface MUI 5480 ( formerly known as VAMI) is still present. I'm trying to follow your procedure but I can't figure out which cert you copied to the folder in the last part of your description,

Copy your certificate file to the folder defined in ssl.ca-file above and name it as vmca.crt

Restart the service (service vami-lighttpd restart)"

Edit: I found it, the vmca.crt file is the cert you created to delegate your VCSA as a subordinate CA, and for the non Linux initiate the restart command is this one:

/etc/init.d/vami-lighttp restart

BTW your explanation is much clearer and simple to follow than the official vmware KB, at least for non Linux admin.

Thanks alot

Reply
0 Kudos