In this article, we will continue the same topic, but this time explaining the required steps to configure VMCA as an intermediate CA server.

Why VMware vSphere needs SSL certificates?

SSL certificates are required to encrypt and secure the communications between the various VMware products, such as the communication between the vCenter server and the ESXi hosts, as well as the connection between the end-user and the vSphere client.

Main reference documentation

vSphere Authentication guide: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-vcenter-802-authentication-guide.pdf

vSPhere Security guide: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-703-security-guide.pdf

I’d strongly recommend watching my tutorial videos for more information and the implementation demo:

SSL Certificates Available Modes

The following list contains the available management modes for the certificates in a Sphere:

• VMCA | self-signed (default): this is the default mode for the built-in certificate authority of vCenter, VMCA (VMware Certificate Authority). The default mode out-of-the-box right after installing a vCenter server is that VMCA is enabled to mnage the certificates of the vCenter server, and any attached ESXi host. All of the certificates are issued by VMCA, which is a self-signed certificates mode.
• VMCA | intermediate CA: it’s possible to configure VCMA to act as an intermediate CA server in your enterprise PKI infrastructure. This mode is the most preferable mode in terms of the operational overhead, however, VMware (and maybe your company’s security policy) does not recommend this mode.
• Custom certificates: [How to configure article]In this mode, you are required to manually issue the required certificates for each vSphere component (vCenter serer(s) and ESXi hosts) via your PKI infrastructure or 3rd-party CA. This is considered the most secure way, but implies a lot of operational overhead.
• Hybrid-mode: this is a mix of a MACHINE SSL CERTIFICATE signed by an external CA fot the vCenter server’s web interface, and the VMCA will continue to issue self-signed certificates for ESXi hosts and solution-users. This mode is more preferable for large environments.

How to manage the SSL Certificates?

• vSphere client.
• vCenter Certificate Manager Utility (vCenter CLI utility).
• CLI and APIs.
• ESXi SSH shell for ESXi hosts

Once again, in this article I will be covering the CUSTOM mode, and the needed steps to enable it for a vCenter server and the linked ESXi hosts.

VMCA – Intermediate CA mode | step-by-step

In this tutorial I will be configuring the Intermediate-CA-mode for my vSphere environment in the lab leviraging Microsoft CA PKI. For other PKI environments, please research the needed steps.

1- create a certificate template. Scroll down to the “Intermediate CA” section. Refer to the required parameters in this link: https://kb.vmware.com/s/article/2112009

2- Replacing VMCA Root CA with a custom certificate, and all other certificates. SSH into the vCenter server, switch to “shell” mode, and then run the vCenter Certificate Manager utility by running this command:

/usr/lib/vmware-vmca/bin/certificate-manager

3- choose option 2, to generate a CSR. Watch the video [embeded above], or follow the steps on page 50 in the vSphere Authentication guide. Link mentioned above in the references section.

4- head to your Microsoft CA server to issue the required certificate using the dedicated cert template. Use the following command in a CMD terminal.

5- command: certreq -submit -attrib “CertificateTemplate:TEMPLATENAME”  myrequest_sign.req myrequest_cert.cer

6- The certificate needs to be having the entire certificate chain (to include the root certificate, and any other intermediate certificates based on the PKI setup in your environment). Open the newly generated certificate with Notepad, and add the block of the root CA certificate at the bottom of the file. The next point explains how to export the root CA certificate. Moreover, the following link describes more the construction of the certificate file [view it or watch my video]: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-75008746-C902-4C42-8F5C-6602D6E4EC8B.html#:~:text=In%20a%20text-,editor%2C%20combine,-the%20certificates%20as

6- Export root CA cert: certutil -ca.cert ca_name.cer

7- Now, let’s copy the certificate body (the content) to our vCenter. SSH into the vCenter server, switch to the “Shell” mode, and navigate to /root/

8 – create a new empty file and call it: root_signing_cert.cer

touch root_signing_cert.cer

vi root_signing_cert.cer

and then press “i” to start editing the file. Go the the opened certificate file back on your root ca server, copy the content, and paste it into the text editor back in the vCenter. save and exit.

9- Now, we need to import the new cert via the vcenter Certificate Manager utility once again. Choose option 2, select to use the existing config file, and then hit “2” again to import the certificate and the key this time.

10- specify the files names/pathes. It’s better explained in the video.

11- After few minutes, the certificates should be replaced (MACHINE_SSL, ESXis)

12- [Optional] – Should you face issues pushing new certificates to the ESXi hosts signed by the VMCA, please check this useful article: https://pradeeppapnai.wordpress.com/2019/04/09/esxcertficate-renew/