In this document we will see how we can easily and quickly change the certificates assigned to our VMware vCenter server, Not only that, since vSphere 6.0 Certificate Manager is the new VMware tool with which we can perform any management we need with certificates in vSphere!!!

What we will do in this article will be to replace the certificates that come with vCenter by default 6.0, generated by your VMware Certificate Authority (VMCA), we will replace them with valid ones, whether signed by a trusted CA or by our organization's CA, so that we can use valid certificates internally.

The first thing will be to edit the file 'certool.cfg’ which we can find in '%ProgramFiles%VMwarevCenter Servervmcad’ in the event that we have vCenter under Windows or in '/usr/lib/vmware-vmca/bin/’ if using the VMware appliance. We will edit the configuration file by entering the correct data to generate the CSR later.

We'll run script 'certificate-manager.bat’ (Win) o './certificate-manager’ (Lin) to launch the certificate management utility, Select '1. Replace the Machine SSL certificate with a Custom CA Certificate’ to replace the machine's SSL certificate with a custom one.

We select '1 again'’ to generate a new CSR or certificate request file based on the configuration entered in the configuration file, it will tell us to specify a folder where it will be stored (in my case 'C:\Certificates'). And once generated, We'll come out of the wizard with '2’ and we will take the generated files to a trusted CA to sign and generate certificates and keys!

In this case I will use a Microsoft CA, which is the one used in my organization, Paste the contents of the file 'machine_ssl.csr’ and we generate the certificate as is traditional.

We must remember, that we have to download the certificate encoded in Base64, We will save it as 'rui.crt’ in the same folder ('C:\Certificates').

In addition, We will need the certificate authority's certificate chain (AC) that the certificate is generating for us, we download it by clicking on 'Download CA certificate chain', also in Base 64 and we save it under the name 'cachain.p7b'.

GOOD, About the newly downloaded file, We execute it, and we export the certificates of the CAs we have,

As before, at Base 64, We save it as everything in our certificates folder ('C:\Certificates'), We keep it as 'Root64.cer'.

And all that remains is to install the newly generated certificate, we run the vSphere Certificate Tool again 6, Select option '1’ again to replace the existing certificate with a custom one, This time we select the '2’ to import a custom certificate and its keys to replace the existing SSL certificate. All that remains is to enter the paths of the corresponding files & confirm, in my case:

• Custom certificate for machine SSL, It would be the file 'rui.crt'.
• Custom key for machine SSL, it would be the 'machine_ssl.key' file.
• Signing certificate of the machine SSL certificate, it would be the 'Root64.cer' file.