Changing the Machine SSL certificate for the VCSA 6.0 U2

Recently I was at a customer who needed to change the Machine SSL Certificate on their newly deployed VCSA and External PSC. They chose this method as they had a requirement to protect all front end communications but were happy to have the VMware Certificate Authority (VMCA) continue to issue other certificates for components.

Below are the steps recreated in the Terataki Lab. In essence the procedure is roughly the same if you have a VCSA with an embedded PSC. The main difference is that I replaced the certificate on the PSC first before replacing on the VCSA. The reason I choose to show replacing the VCSA certificate is that there is one additional step: that is you need to specify the Infrastructure Server IP (the PSC). You can find more details here from VMware KB 2112277

Prior to replacing the Machine SSL certificate you can see that browsing to the VCSA shows the following Certificate Warning.
​

​First things first it goes without saying that you require a Certificate Authority for issuing certificates. In the Lab I am using an Enterprise CA on Windows 2012 R2.Log into your VCSA (or PSC) with SSH as root. In the screenshot below this is the default application shell displayed after logging into the VCSA.

As can be seen above the BASH Shell can be enabled by running the command > shell.set –enabled True
Once you do this type Shell
You will now be dropped at the BASH shell prompt as seem below:

For convenience sake I will change the default shell for the root user to BASH permanently.  This is also required as I need to use WINSCP later to copy my new certificates to the appliance. To change the shell to BASH use:chsh -s /bin/bash root

Change directory by using > cd /usr/lib/vmware-vmca/bin
Then run Certificate Manager by typing > ./certifcate-manager
​
A list of the available options are displayed. In this case I am going to change the Machine SSL certificate so select option 1 and hit enter. You will be prompted for the username with Administrator@vsphere.local already filled out. If this is correct hit enter otherwise enter your SSO domain administrator name.  Fill out the password for the user specified.As mentioned previously I am using a VCSA with an external PSC so I have an additional step; Please provide valid Infrastructure IP – which is the external PSC.  Enter 1 again to start the process of CSR generation.
​

A step by step workflow will guide you through the generation of the CSR file that we will use later when we make our request to the CA.In short you will need to provide the location where you want to save the generated .csr and .key files as well as information regarding your certificate.

The CSR will be output to the directory you specified. In this case  /root
Change to the /root directory and run > cat vmca_issued_csr.csr file
Copy and Paste into notepad everything from and between —-BEGIN CERTIFICATE REQUEST  and  END CERTIFICATE REQUEST —–

We now change focus to our CA and making the request. Remember that in the lab Im using a Microsoft CA.  I browse to the CA that I have installed then click ‘Request a certificate’.

Click ‘advanced certificate request’

Then click ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.’

Paste the text obtained from the csr file with everything from and between —–BEGIN CERTIFICATE REQUEST  and  END CERTIFICATE REQUEST —–

My certificate is issued immediately in the Lab. Now I need to download both the Certificate and the Certificate Chain. With the Base64 encoded radio checked download both. Save these with a relevant name to a location that you can easily find later. In my case I am calling them vcsa and chain
​

You’ll notice that the Chain certificate was downloaded in p7b format so you need to do a quick conversion to get it into BASE64. To do that I double clicked on the downloaded chain.p7b certificate on the desktop. Then in the opened certifcate clicked on Details then Copy to file.  Click Next in the wizard, select Base-64 encoded X.509 (.CER), and then click Next. Save the file as chain.cer
​
Now I am ready to upload the two required certificates to the VCSA. Using WINSCP I connect to the VCSA. This will fail if you did not allow the root user to use BASH as shown above. In the screenshot below the certificates copied are called chain.cer and vcsa.cer Note that the previously generated csr and key file are stored in the location where I upload to. This just makes remembering things easier for me.

Now we jump back to putty and run certificate manager again but this time we select Option 1 followed by Option 2. Follow the prompts and give the path to the vcsa.cer, the vmca_issued_key.key as well as the chain.cer. Select Yes to continue.​All being well you will see the words [Replacing Machine SSL Cert…]  ​The process may take a few minutes.

After a short time the certificate will be installed. You can verify that this was the case by navigating in your browser to your web client which should no longer show an error. You can verify that the certificate is the new one by clicking on the Lock Icon in the address bar and inspecting the details on the certificate as shown below.