In the previous article, I discussed the installation and activation of the SSL certificate on vSphere host 6.7. The process is relatively easy. The same thing I tried to apply to vCenter 6.7 but failed. After several trial & error processes, the problem is most likely because vCenter does not want to use SSL wildcards. When trying it using a SSL Certificate single domain (single name), the process runs smoothly.
Here is how to install and activate the SSL certificate on vCenter Server 6.7:
PREPARATION
- Prepare the root certificate file according to the SSL certificate. Usually the provider will provide location of the root certificate file that can be downloaded, for example for Comodo (Sectigo) SSL in this link.
- Prepare the SSL certificate .key and .crt according to your requirement. Make sure the subject alternative name (SAN) uses the vCenter host name. For example in this case it will use vc67.excellent.co.id
- If the .key file and the .crt file do not yet exist, purchase the SSL Certificate. You can choose various brand and provider or reseller. As for Indonesian, Excellent provides SSL Certificate services of various types (Single, Multi Domain UCC and Wildcard) and from various brands (Comodo, GeoTrust, Symantec, Digicert and others). Please refer to the https://www.excellent.co.id/ssl/ page for more details. Unlike other providers who sometimes only provide SSL certificates without support services, Excellent provides support for the process of generating Certificate Signing Request (CSR), implementing SSL or Revoke/Replacement SSL.
- When purchasing an SSL certificate, the seller will request a CSR (Certificate Signing Request). To generate a CSR file from vCenter, connect SSH to vCenter, run the bash shell application (by typing the shell command then run the command: /usr/lib/vmware-vmca/bin/certificate-manager and follow the wizard. As you want to do generate CSR, select option number 1 Replace SSL certificate with Custom Certificate then the Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. Make sure to enter the correct hostname according to your vCenter hostname when it asked about subject alternative name or hostname.
After the generate process is done, the location of the CSR file will be informed at the end of the command results, for example in this example the location of the CSR file is in /srv/vmca_issued_csr.csr. When generating a CSR file it will automatically generate a .key file as well.
Take the CSR file using the scp or winscp application and send it to the SSL seller or provider. Don’t send the .key file, it will be used as the opening key for the .crt file when implemented.
After verification process and if all requirement has been passed, the SSL seller will send the crt file. If the file is separate between the SSL certificate and certificate chain, combine the two certificate into one new .crt file with the certificate chain position at the bottom.
It means that there are already 3 files, namely the root SSL certificate file, the merged SSL certificate file and the .key file resulting from generating CSR.
CERTIFICATE SSL ACTIVATION ON VCENTER SERVER
To activate the SSL certificate, do the procedure as follows:
- Log in to vCenter
- Enter the Administration menu Certificates | Certificate Management
- Login using vCenter user credentials
- In the Trusted Root Certificates section, click Add and retrieve the prepared root SSL certificate file
- In the Machine Certificate section, select the Action |Replace menu
- Enter the combined SSL (certificate file with the chain certificate) and the .key file as well
vCenter will automatically detect the SSL Certificate and display a successful message if it has been successfully activated
In addition to machine certificate, there is also a solution certificate whose implementation procedure is similar to what was done. Because my primary uses only for vCenter web client, the implementation of machine SSL certificate is sufficient to me.
After the SSL certificate is successfully installed, restart the vCenter. Enter vCenter admin (https://vc67.excellent.co.id:5480) then select the Actions menu then Reboot | Reboot the system? | Yes
After vCenter has been successfully restarted, check whether the SSL certificate has been successfully installed or not. When accessed via a browser, an untrusted certificate message should not appear. If the SSL certificate is successfully installed and valid but the status is still untrusted, there is a possibility of cache on the browser side.