VMware vSphere

 View Only

  • 1.  Understanding VCSA as a Subordinate CA

    Posted Apr 13, 2019 06:53 PM

    Hi,

    This is a test lab setup.

    I have been trying this for sometime but it does not seem to be working as I understand it. I'm trying to get the VCSA to become a subordinate CA to sign certificate for ESXi hosts in its cluster.

    The issue where I am lost if the use certificate chain, Subordinate certificate, and VMCA, for the the certificate chain not sure where to get the subordinate certificate from, as for the VMCA, not able to understand whether it will become a Subordinate CA after adding the chain or how.

    I have tried form here : https://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-ins...

    here: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-75008746-C902-4C42-8F5C-6602D6...

    here: https://casesup.com/knowledgebase/how-to-replace-default-ssl-certificate-for-vmware-vcenter-and-esxi...

    Thus if anyone could guide me right.

    My set up is I have a windows AD server with ADCS that is acting as a Root CA, I want the VCSA to act as a Subordinate CA for ESXi hosts (when I access the ESXi hosts via browser their certificates show as not secure, as far as I have reached when I access VCSA via vSphere it shows as secure).

    Thank You



  • 2.  RE: Understanding VCSA as a Subordinate CA

    Posted Apr 13, 2019 07:20 PM

    In order for the VMCA to function as a subordinate for your PKI, you have to generate a cert based on the correct template. You can't just generate any old machine certificate. There's a KB here that talks about that. The default template, which should be cloned and customized, appears here.

    '

    From there, you have to choose option #2 to replace the certificate in the vCSA and regenerate all certs based upon it. Note that this really isn't the recommended way to go about custom certificates. The best way is the hybrid approach where you replace externally-facing services with a custom cert (machine SSL cert) but you leave VMCA to generate certs for solution users and ESXi hosts internally. This is not only easier to accomplish, but easier to maintain as well. You can still trust the VMCA root certificate in order to trust the certs generated for each ESXi host.



  • 3.  RE: Understanding VCSA as a Subordinate CA

    Posted Apr 13, 2019 10:17 PM

    Thank You for the reply,

    This is what I'm trying to understand, the page Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)  says that I need

    -----BEGIN CERTIFICATE-----

    Signed VMCA root certificate - GENERATED BY THE ROOT CA SERVER USING THE CSR FILE

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    CA intermediate certificates - WHERE DO I GET THIS FROM ?

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    Root certificate of enterprise or external CA - THE ROOT CA'S CERTIFICATE

    -----END CERTIFICATE-----

    I mean the csr file is of the vcsa and the intermediate CA is also the VCSA and since the CSR is generated by the VCSA, does it mean I have to generate a second CSR file for the intermediate CA certificate ?

    Thank You



  • 4.  RE: Understanding VCSA as a Subordinate CA
    Best Answer

    Posted Apr 14, 2019 03:07 PM

    This issue resolved.

    The steps are mentioned here Make VMCA an Intermediate Certificate Authority (Certificate Manager)

    Thank You