I am attempting to replace our hosts certificates. Here's what I am doing:
1) Created an openssl config file on the host and used openssl to generate a CSR
2) Had that signed by a Microsoft CA.
3) Imported the cert on my 6.5 host and it showed up fine on the host.
4) Attempted to add the host into VCSA 6.5 and received error "unable to get local issuer certificate".
I've changed the certmgmt mode for vcsa to custom as well.
Thanks in advance.
You're not following the right procedure in that case. Once you update the cert on the ESXi host, you have to import it into VECS on the vCSA to establish trust. Since you're not using VMCA, this is an entirely manual process. I'd recommend you read the documentation that covers certificate management of ESXi hosts.
Thanks. However, I've followed the steps as listed but I still receive the following error while attempting to add the host to vCenter. Also, restarted the services on the VCSA.
"Unable to get local issuer certificate"
Does it matter if the host & vCenter are not joined to the domain? Does the vCenter root cert need to be replaced with a signed one from the CA before this work?
That shouldn't matter, but have you configured the vCSA to trust the root CA cert which signed the ESXi certs?
That aside, do you have a hard requirement to replace ESXi certs even though they're joined to a vCenter? I see this quite often where people think they need to replace host certs and when you get down to it, they find they don't. So what is your objective with implementing PKI? What are the true requirements?
So that's probably my mistake. I added the esxi signed cert to the Trusted store. You're saying I need to add the actual CA root cert to the Trusted store?
Hosts must have custom CA signed certificates. From my understanding only the hosts need to have signed certs; not positive on the requirement for vCenter yet.
I've tried adding the CA cert and the CA chain into the Trusted Roots store but keep getting "LDAP error: Can't contact LDAP server" Win Error: "Operation failed with error -l (4294967295)
Really need to get this figured out.
Not sure either. SSO is joined to my domain no issues there. I can ping from vCenter to my DC and DC to vCenter so they are talking between each other.
Really confused on why it's even caring about LDAP. All I want to do is add a certificate into the store.
I am getting exactly the same issue. There are some ESXi hosts that need certs signed by our Internal CA.
What do you mean when you say "vCenter still needs to trust who signed the certs as well"?? What do i do on the vCSA 6.5 to get that resolved. At the moment vCSA has got the default signed cert and we just need to change the ESXi hosts certs with custom one's.
What do you mean when you say "vCenter still needs to trust who signed the certs as well"??
I mean the vCSA still has to trust who issued the certs and not just the certs themselves. This is standard practice for any PKI system, btw. You need to import the root CA certificate into the vCSA into its trusted root store. If you haven't already, read the documentation that covers this here.