FTF 005: Replacing default vSphere 6.x certificates with CA signed SSL - my tips

By | May 2, 2018

Recently I have done some projects where replacing default vSphere certificates with CA signed SSL was required. I think some of you remember how managing certificates were hard in prior vSphere releases (especially 5.0/5.1). Fortunately since version 6.0 replacing SSL certificates with custom is easy and straightforward. There are two main options:

  1. The VMCA as a Subordinate (or Intermediate) Certificate Authority which is the easiest to manage but least secure
  2. The manual replacement which is the most difficult to manage, however most secure.

and one more - the hybrid mode where Web Client certificate is replaced by 3rd authority manually but ESXi hosts, solution certificates by VMCA automatically.

VMCA as a Subordinate

This option is really cool. We have just to create a special template, create a CSR and sign by Root. Then replace on VMCA. The rest certificates will be replaced/renew almost automatically. It works pretty well if your template is prepared properly. Please follow the below link to prepare such template:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x

The manual replacement

Unfortunately, this method is the most popular, at least I have done it very often. All vSphere certificates are replaced manually.

Possible issues

There are some issues with replacing of SSL on vSphere 6.x (6.0 and 6.5 as well):

  • When VMCA is a Subordinate, please make sure that you don't use the Certificate Manager to prepare a request (CSR) as probably you will face the below issue (the CSR created for the VMCA does not include the required attributes):
    Error Message : Not a CA Cert
  • Problem with configuring of HA (e.g. vSphere HA cannot be configured on this host because its SSL thumbprint has not been verified). Just disconnect the host that has custom SSL certificates installed and connect it again.
  • Problem with adding of ESXi hosts to vCenter after replacing SSL - please follow below tips.

Some tips

Additional useful links:

Certificate Management Overview

How to use vSphere 6.x Certificate Manager

How to replace vSphere 6.x certificates

VMware Certificate Authority overview and using VMCA Root Certificates in a browser

New Product Walkthrough – Hybrid vSphere SSL Certificate Replacement

Author: Mariusz

Architect (~ 15 years experience based on passion...) with strong background as a System Administrator and Engineer. Focused on Data Center Solutions: Virtualization/Cloud Computing and Storage/Backup Systems. Currently living in Poland.