How to change SSL certificates on vCenters VM.
Recently I'm facing the issue web browser is showing " not secure" while logging into vCenter and VAMI portals.
Issue: CA certificates are invalid on vCenters.
1. Generate a certificate signing request (CSR)
Login to vCenter vCSA via SSH. Type shell and press Enter.
Run /usr/lib/vmware-vmca/bin/certificate-manager. You will see vSphere Certificate Manager with multiple options to select.
2. Choose option 1: Replace Machine SSL certificate with Custom Certificate
3. Enter SSO and VC administrator credentials (default: administartor@vsphere.local). Then again, choose option 1 to Generate CSR and Keys for Machine SSL certificate
4. Then, Certificate Manager will prompt to specify the following values:
Country: Two letter country code
Name: FQDN of your vCSA
Organization: Your organization name
OrgUnit: Name of your unit/department
State:State or country name
Locality: City
IPAddress(optional): vCSA IP address
Email: your email address
Hostname: FQDN of your vCSA
VMCA Name: FQDN of your VMCA (typically use FQDN of your vCSA
5. Type Yes to proceed. and it will ask saved path (/tmp/temp).
6. Signing request and private key is generated and located in /tmp folder.
7. Download /tmp/vmca_issued_csr.csr file with any tool you use, i.e. WinSCP.
Refer this link if any issue to login VCSA putty session via WinSCP
8. Go and submit your CSR file to your certificate authority (CA).
( Customize the certificate as based company)
9. Download/export the certificate in base-64 format
10. Upload signed machine certificate file and CA certificate file to the vCSA, i.e. /tmp/temp folder
11. Choose option 1: Replace Machine SSL certificate with Custom Certificate. Enter SSO and VC administrator credentials (default: administartor@vsphere.local). And now, choose option 2 to import custom certificates.
12. Then specify the signed certificate, the private key, and the CA certificate location.
13. Select Yes(Y) to confirm the operation. This may take a few minutes.
14. It will restart the services automatically.
15. If any plugin/service issue then restart the all services/reboot.
service-control -–stop –all
service-control -–start –all
16. Validate the web browser and VAMI portal also
17. restart the VAMI services if still have VAMI portal showing old certificates.
Restart the VAMI service: /etc/init.d/vami-lighttp restart
Reviewed by Virtulization
on
September 01, 2021
Rating:
No comments: