VCAP-DCV Deploy Objective 8.2 – Part 1

Home / SSL Certificate / VCAP-DCV Deploy Objective 8.2 – Part 1

In this section we are going to cover “Manage SSL certificates”

Here are the objective from the blueprint :

  • Configure and manage VMware Certificate Authority

Lab Setup:

Using VMware workstation:

  • Microsoft Servers 2012R2 for Services (ADCS,DNS , DHCP, etc…)
  • Installed esx0
  • Installed VCSA

 Documents used:

  • vSphere Security Guide
  • VMware KB 2112016

Configure and manage VMware Certificate Authority:

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions your environment with certificates. This includes machine SSL certificates for secure connections, solution user certificates for authentication to vCenter Single Sign-On, and certificates for ESXi hosts that are added to vCenter Server.

The following certificates are in use.

Source: VMware security guide

There are many variation of how to configure VMCA , i choose to configure VMCA as a subordinate CA to Microsoft enterprise CA.

Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority:

To perform this task i followed  VMware KB 2112016 in my lab , please see my previous post about installing Microsoft ADCS.

Here are the steps:

  1. Connect to the vmware certification manager and choose option 2 to replace VMCA root certificate with custom signing certificate and replace all certificate. To perform this task do the following
    1. if you using VCSA , you will need to enable SSH (if you didnt do so)
    2. SSH to the VCSA and change directory to /usr/lib/vmware-vmca/bin/ and run the  ./certificate-manager util.
    3. Choose Option 2
      1. Enter the SSO password.
      2. choose Option 1 to Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
      3. verify that you have 2 files in the specific location
  2. Copy the “root_signin_cert.csr” file  to your windows AD server , you can use WinSCP for that
    1. you might have a problem connecting to the shell with WinSCP (I did) , change the advanced setting SFTP server to shell /usr/lib64/ssh/sftp-server
  3. Open the Windows Certificate Web Enrollment and perfom the following:
    1. Click on Request a certificate
    2. Click on advanced certificate request
    3. Click on Submit a certificate request….
    4. Change the certificate template to “Subordinate Certification authority
    5. Copy and paste the .CSR file content in to the saved request  window and click on submit
    6. Download the Certificate chain by changing to “base 64 encoded” and click on download certificate chain
  4. Double click on the new downloaded certification and export the certifications
    1. Right click on the CA certification >> all task>>export
    2. Change the format to base 64 encoded
    3. save the file with the same certificate name
    4. repeat this process for the Root CA
  5. merge the two certification together using text editor make sure to CA certificate is at the top and the root at the bottom
    1. Use a new text file to combine the two certs and dont forget to change the file extension to .cer 
  6. copy the new .cer file back to vCenter
  7. Go back to the certificate-manager util and choose the option 1
    1. provide the location for the new .cer file and click enter
    2. Provide the locate for the .key file generated at the begining (root_signin_cert.key) and click enter
    3. Press Yes and wait for the process to finish.
  8. Verify by looking at vCenter HTTPs certificate path


Enabling SSH on vCenter:



WinSCP config change:


Certification manager screenshot:



Uploading Certificate via Web enrollment:








Thanks for reading



Leave a Reply

Your email address will not be published. Required fields are marked *