{"id":62,"date":"2023-03-19T08:08:29","date_gmt":"2023-03-19T07:08:29","guid":{"rendered":"http:\/\/10.4.44.99:10084\/?p=62"},"modified":"2023-03-19T08:08:29","modified_gmt":"2023-03-19T07:08:29","slug":"vmware-vsphere-change-certificate-with-self-signed","status":"publish","type":"post","link":"https:\/\/www.winni.at\/wordpress\/?p=62","title":{"rendered":"VMWare\/VSphere Change Certificate with self-signed"},"content":{"rendered":"\n<p><strong>1.) Enable WinSCP access to vcenter appliance<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login into VCenter Appliance through putty<\/li>\n\n\n\n<li>on CLI enter shell<\/li>\n\n\n\n<li>Run<strong>&nbsp;chsh -s \/bin\/bash root<\/strong>&nbsp;= ENABLES bash for WinSCP otherwise you will get an error message |&nbsp;<strong>chsh -s \/bin\/appliancesh root<\/strong>&nbsp;= DISABLES bash&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>2.) Add Certifcate Chain from your CA to the trusted certificated store of the VCenter Appliance<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open your ca root and your ca intermediate cert in notepad<\/li>\n\n\n\n<li>Create a new file named for example:&nbsp;<strong>Fullchain.cer<\/strong><\/li>\n\n\n\n<li>Insert there the values from your ca root and ca intermediate cert. First ca root and directly after the value from intermediate.<\/li>\n\n\n\n<li>Safe this file and transfer it to your VMWare VCenter Appliance &#8211;&gt; for example at&nbsp;<strong>\/tmp\/<\/strong>&nbsp;location<\/li>\n\n\n\n<li>Connect to vsphere appliance through putty<\/li>\n\n\n\n<li>Insert the new created&nbsp;<strong>Fullchain.cer<\/strong>&nbsp;to the vmware trusted store &#8211;&gt;&nbsp;<strong>\/usr\/lib\/vmware-vmafd\/bin\/dir-cli trustedcert publish &#8211;chain &#8211;cert \/tmp\/Fullchain.cer<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>3.) Generate a CSR<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login into VCenter Appliance through putty<\/li>\n\n\n\n<li>on CLI enter shell<\/li>\n\n\n\n<li>Run&nbsp;\/<strong>usr\/lib\/vmware-vmca\/bin\/certificate-manager<\/strong><\/li>\n\n\n\n<li><strong>Option 1<\/strong>&nbsp;(Replace Machine SSL certificate with Custom Certificate)<\/li>\n\n\n\n<li>Enter the Username and Password from the&nbsp;<a href=\"mailto:Administrator@vsphere.local\">Administrator@vsphere.local<\/a>&nbsp;account<\/li>\n\n\n\n<li><strong>Option 1<\/strong>&nbsp;(Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate<\/li>\n\n\n\n<li>Specify output directory &#8211;&gt; example:&nbsp;<strong>\/tmp\/<\/strong><\/li>\n\n\n\n<li>Specify the other certifcate options (Name &#8211; FQDN of vcenter server, country, organization, orgunit, state, locality, ipaddress you could leave empty, email, you could leave empty, hostname &#8211; FQDN of vcenter server, VMCA Name &#8211; FQDN of vcenter server)<\/li>\n\n\n\n<li>Now a csr and key file (<strong>vmca_issued_csr.csr and vmca_issued_key.key<\/strong>) are generated under&nbsp;<strong>\/tmp\/<\/strong><\/li>\n\n\n\n<li>Transfer the csr to your ca and generate a certificate for exampe as&nbsp;<strong>vcenter.cer<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>4.) Import Certificate to VCenter Appliance<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Transfer this certifcate to the vcenter appliance for example into the&nbsp;<strong>\/tmp\/<\/strong>&nbsp;directory.<\/li>\n\n\n\n<li>Transfer your root CA (example<strong>&nbsp;RootCA.cer<\/strong>) to the vcenter appliance for example into the&nbsp;<strong>\/tmp\/<\/strong>&nbsp;directory.<\/li>\n\n\n\n<li>Now in&nbsp;<strong>\/tmp\/<\/strong>&nbsp;should be 4 files.&nbsp;&nbsp;<strong>First:Fullchain.cer<\/strong>&nbsp;(Which we have created in Step1 which contains the whole certificate chain)&nbsp;<strong>Second:<\/strong>Your new created certificate<strong>&nbsp;vcenter.cer<\/strong>&nbsp;which you have transfered already&nbsp;<strong>Third:<\/strong><strong>vmca_issued_key.key&nbsp;<\/strong>which was created with the csr&nbsp;<strong>Fourth:<\/strong>Your transfered root CA certificate<\/li>\n\n\n\n<li>Login into VCenter Appliance through putty<\/li>\n\n\n\n<li>on CLI enter shell<\/li>\n\n\n\n<li>Run&nbsp;\/<strong>usr\/lib\/vmware-vmca\/bin\/certificate-manager<\/strong><\/li>\n\n\n\n<li><strong>Option 1<\/strong>&nbsp;(Replace Machine SSL certificate with Custom Certificate)<\/li>\n\n\n\n<li>Enter the Username and Password from the&nbsp;<a href=\"mailto:Administrator@vsphere.local\">Administrator@vsphere.local<\/a>&nbsp;account<\/li>\n\n\n\n<li><strong>Option 2<\/strong>&nbsp;(Import custom certificate(s) and key (s) to replace existing Machine SSL certificate<\/li>\n\n\n\n<li>Provide custom certificate:&nbsp;<strong>\/tmp\/vcenter.cer<\/strong><\/li>\n\n\n\n<li>Provide custom key:<strong>&nbsp;\/tmp\/vmca_issued_key.key<\/strong><\/li>\n\n\n\n<li>Provide the signing certificate:&nbsp;<strong>\/tmp\/RootCA.cer<\/strong><\/li>\n\n\n\n<li>You are going to replace Machine SSL cert using custom cert. Continue operation:&nbsp;<strong>Y<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Now it will take a little time to complete and you can see the message:&nbsp; Status: 100% Completed [All tasks completed successfully].&nbsp;<\/p>\n\n\n\n<p>If you see this you can open your vcenter appliance in your browser through the specified url and should not get any certificate error.<\/p>\n\n\n\n<p>This site helped me:&nbsp;<a href=\"https:\/\/vmarena.com\/replace-vcsa-6-7-certificate-vmca-by-an-adcs-signed-certificate\/\"><\/a><a href=\"https:\/\/vmarena.com\/replace-vcsa-6-7-certificate-vmca-by-an-adcs-signed-certificate\/\">https:\/\/vmarena.com\/replace-vcsa-6-7-certificate-vmca-by-an-adcs-signed-certificate\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1.) Enable WinSCP access to vcenter appliance 2.) Add Certifcate Chain from your CA to the trusted certificated store of<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[3],"tags":[178,182,183,195,196],"class_list":["post-62","post","type-post","status-publish","format-standard","hentry","category-kb","tag-vcenter","tag-vmware","tag-vmware-change-certificate","tag-vsphere","tag-vsphere-change-certificate"],"_links":{"self":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/62","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62"}],"version-history":[{"count":0,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/62\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winni.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}