VMware Cloud Community
sweehan
Enthusiast
Enthusiast
‎11-05-2016 05:34 PM

Replacing vsphere certificate

I'm currently planning to upgrade my vmware environment from 5.1 to 6. I've Install new psc and vcenter appliance ver 6. My security team request to replace self sign cert with the domain cert to the vmware environment and not using the VMCA.

I have never replace certificate in vmware before. Any guide on how to replace the certificate? Does that meants I need to install cert on every vmware component eg host, vcenter, psc and update manager?

0 Kudos
3 Replies
Mattallford
Hot Shot
Hot Shot
‎11-06-2016 02:56 AM

Does that meants I need to install cert on every vmware component eg host, vcenter, psc and update manager?

It sounds like your security team are going to need to have input on this. What are their business requirements and why?

My security team request to replace self sign cert with the domain cert to the vmware environment and not using the VMCA.

Depending on the size of you environment, this could be quite tedious and it will involve a fair bit of manual work. There is a certificate model called 'hybrid', where the PSC / VC nodes have a 3rd party trusted SSL cert installed for everything being reverse proxied (such as the web client) and then the VMCA takes care of the internal certificates, such as solution users and the ESXi hosts. Is your security team aware of this configuration and are they willing to allow for this option to be explored if it hasn't already?

Cheers, Matt.

VCP6-DCV | VCAP6-DCV Deploy @mattallford If you found my answers useful, please help me by marking them as Helpful or Correct!
0 Kudos
sweehan
Enthusiast
Enthusiast
‎11-06-2016 08:44 AM

They request us to use their external cert. I've tested out the cert on the esxi host by replacing the rui.crt and rui.key. But on the PSC and vcenter appliance I've read few sites it seems all show the way to replace the cert in PSC and vcenter is through certificate manager or by vmca.

Is there any method similar to the esxi host cert replacement?

0 Kudos
hypnoticautopsy
Contributor
Contributor
‎11-16-2016 11:37 AM

If you are with DoD, yes you are going to have to replace ALL of the certificates.  I'm actually at the same point, which brings me to this:  does anyone know how to use the certificate tool provided by VMware?  I tried using it but when importing the certificates, the tool gives me an error stating the certificate chain is invalid.

0 Kudos