VMware Cloud Community
socbizkaia
Contributor
Contributor
‎03-12-2020 03:01 AM

vcenter DNS alias and VMCA SSL certificate

Hi,

We are running vCSA 6.5. Our vcenter has an official hostname but we normally access it using a DNS alias/CNAME. I would like to regenerate the SSL/TLS certificate of the vCSA to include those "subject alternative names".

- Is it possible to configure "subject alternative names" for the vCSA with the vSphere Certificate Manager Utility (/usr/lib/vmware-vmca/bin/certificate-manager) ??

- My only option would be to use VMCA Default Certificates with External SSL Certificates (Hybrid Mode) ??

Thanks in advance! this is my first approach the VMCA.

Tags (2)
0 Kudos
3 Replies
Virtbay
Enthusiast
Enthusiast
‎03-12-2020 06:26 AM

Hi

Yes, you can use the certificate manager to generate the CSR using the configuration file by having the FQDN and short-name in host-name section.Since you are looking for machine SSL certificate(hybrid) which makes the vcenter website secure.Use option number 1 and generate the CSR with the FQDN and short-name separated by comma. After which you can get it signed then import it into the Vcenter. Do not forget to take snapshot's before performing any changes

VMware Knowledge Base

Regards VB Please mark helpful or correct if my answer resolved your issue.
0 Kudos
socbizkaia
Contributor
Contributor
‎03-12-2020 06:59 AM

This solution would imply an hybrid solution (SSL certificates emited by the VMCA and an external CA). However, is it possible to use the VMCA to generate SSL machine certificates with subject alternative names?

0 Kudos
Virtbay
Enthusiast
Enthusiast
‎03-12-2020 11:25 AM

Hi

I beleive this is what you are looking for, yes it should be possible to generate SSL machine certificate with default VMCA root . Use the certificate manager in the vcenter and go with option number 3 . While updating the configuration file make sure you put in the FQDN and the short name in the host-name entry. 

Below is for embedded VCSA

In case if you are looking for something like this (External CA signs the VMCA that acts as a subordinate CA which in turn signs the machine SSL and solution user certificates) then run through the option number 2 in certificate manager (while requesting CSR make sure to use the FQDN and short name (separated by comma) in host-name entry) then with that you can obtain the signed VMCA with which you can run through the replacement. This has always worked for me where I get the site secure for both short-name and FQDN.

Have a look at the below article for reference
VMware Knowledge Base

Regards VB Please mark helpful or correct if my answer resolved your issue.
0 Kudos