VMware Cloud Community
MSchaff
Contributor
Contributor
‎11-12-2018 03:18 PM

VCSA 6.5 Certificate Installation with GeoTrust certificate

Hello VMware community,

I'm in the process of replacing the self-signed certificates on our VCSA 6.5 server with a domain-level certificate, to address the "Your connection to this site is not secure" messages when accessing the vCenter web client.  Having done some initial searching on how to accomplish this, I find I've come up with more questions than answers.  I found several resources that document the process, but each of them uses a different method.  Some use the certificate-manager application directly, while others use a script to generate the CSR file(s).  Most seem to reference using a Microsoft AD certificate generator, but I'm using a GeoTrust certificate and the processes shown in the resources I've viewed don't align well with the GeoTrust certificate.

With that in mind, I'd like to pose a few questions here, and get some input from those of you who have gone down this path already.

1.  As I'm primarily concerned with the certificate messages displayed in the web browser while accessing the web client, do I need to replace all the certificates on the VCSA (machineSSL, machine, vsphere-webclient, vpxd, etc), or will replacing the vsphere-webclient certificate resolve the browser warnings?

2.  On the GeoTrust side, when I go to download the certificate after generating and processing the CSR file for the certificate (or for each certificate), there are two format options available to me: PKCS#7 format and X509 format.  The X509 format appears to provide two files (an "intermediateCA.cer" file and a "ssl_certificate.cer" file) while the PKCS#7 format provides a single file named "ssl_certificate.p7b").  Is one of these two formats preferred over the other or is one of them the required format?

3.  If I do need to combine certificates, as shown by some instructions, I'm unsure as to which of the certificates becomes the root certificate (apologies if I'm using the incorrect terminology here, or if this does not apply to the GeoTrust process).  I'm not familiar enough with the different certificates to know whether a root certificate applies to this process or not.

Any insights or guidance you might be able to provide would be most appreciated.  I may well be overthinking this entire process, thereby making it more complicated than it needs to be.  Your input is welcome, and I thank you in advance for taking the time to read this.

0 Kudos
2 Replies
daphnissov
Immortal
Immortal
‎11-13-2018 05:57 AM

To make this super simple, if all you're concerned about is the nagging message in your web browser, you don't need to replace those certificates with custom PKI from a third party. By far the easiest thing to do is simply download the root CA certificate from the appliance and stash it in your trusted root certificate store for those users. Once done, that message will go away.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
IRIX201110141
Champion
Champion
‎11-13-2018 09:25 AM

I swapped SSL Certs somewhere in 5.5 for vCenter and i will never do it again......

1. You only need to replace a single cert, if your intention is to get rid of the browser warning. IIRC its the Maschine_SSL Cert which needs to be replace because this is the one which is used for that web socket on port 443.  Most of the others are service/user certs and are used by the up to 30 different services.

There was a interessting Session on this year vmworld about that topc. Not sure it its already on youtube or if you have an vmworld.com account to watch the recording.

"Deciphering Successful vSphere Certificate Implementation [VIN2463BE]"

- In vCenter 6.7 there is a GUI for that job!!!

- Official Certs are a problem because the cert have some requirements. Also the SubjectAlternateName is something what an officical CA doesnt like often.

Regards,

Joerg

0 Kudos