culterone
Contributor
Contributor

browser certificate problem - generate new certificate with ADCS and import to vSphere

Hi, we have Vmware vSphere 6.7 installed and when we access it via domain name, we get the warning that the page is insecure. When I display the (invalid) certificate informations, I can see that it's valid until 2025. In certification path is CA/192.168.2.200, so I suppose it's valid only when IP address is entered.

All hosts are in our domain and on domain controller I installed ADCS and created root certificate valid for 10 years and certificate for vSphere valid for 2 years. Now I'm struggling how to get the certificate from ADCS to vSphere. I found this tutorial

https://vmarena.com/replace-vcsa-6-7-certificate-vmca-by-an-adcs-signed-certificate/

which seems suits my needs, but I don't understand why I need to export certificate from vSphere and load it to ADCS. Isn't the right way to export signed certificate from ADCS and import it to vSphere via Certificate manager? Or do I have to follow this tutorial step by step to successfully get rid of the annoying message in the browser? Or is there a simpler way?

Thank you

0 Kudos
3 Replies
daphnissov
Immortal
Immortal

First of all, what is your real objective here? Is it simply to remove the annoying warning from the browser, or is it to customize the certificate that vCenter presents? You do not need to replace the default certificates if all you want to do is not see that warning message. Please explain what your desired end result is.

0 Kudos
culterone
Contributor
Contributor

Hi daphnissov, thanks for reaction. My goal is to get rid of the browser message "There is a problem with this website's security certificate" and the necessity to click on "Continue to this website(not recommended)" link. I need to solve it not by uploading the certificate downloaded from vsphere login screen to client browsers, because there are many colleagues which connect to vsphere. I need to solve it on the server, if possible.

0 Kudos
daphnissov
Immortal
Immortal

Ok, that clarifies it. Then you actually do want to replace the default certificates. The blog post to which you linked is the correct procedure, and you're probably confused with regard to the first step in which a CSR is downloaded. The CSR is not a certificate. Although this is the right process, you may want to do some casual online reading about certificates and how the request/replacement process works. PKI is a complex subject, but getting some of the fundamentals down will help you understand the overall process both here and elsewhere.

0 Kudos