In vSphere 6.x managing custom certificates with the VMCA was always difficult and fiddly when using the CLI. This new vSphere 7 feature for managing certificates can be accessed by using the vSphere Client to log into vCenter and navigating from Home to the Administration section.

On doing so you can now view Certificate Management where the current Machine Certificate and Trusted Root Certificate are shown. If the vCenter has just been installed then these will be the VMCA self signed certificates. Notice that solution certificates are not displayed in the GUI. This is because these will be deprecated in future versions. If you need to manage those you can do so from the CLI.

From the Certification Management page under Machine Cert Actions there are a number of options.

1. Renew
2. Import and Replace Certificate
3. Generate a Certificate Signing Request (CSR)

Option 1 renews the current certificate with a new self signed certificate issued from VMCA. In this article I will be replacing the vCenter self signed certificate with a Custom Certificate issued by my own Internal Microsoft CA.

Process

Notice in the screenshot below the current self signed certificate is showing as ‘not secure’ in the browser which is why we want to replace it.

Starting at the Certificate Management screen, select the Machine Cert Actions drop down to ‘Generate a Certificate Signing Request (CSR)’

On the next screen you will see the CSR Wizard which should be quite simple to fill out. Some of the fields are mandatory and others are optional. Once you have filled out the correct details press next.

On the final wizard screen you will see the generated CSR output where you can save the CSR to a file, recommended if you are sending to your CA or want to file it, or just copy onto the clipboard. Note here that the private key is kept on the vCenter.

Now, you can take your CSR to your Certificate Authority and request a certificate. In my case this is my own Internal Microsoft CA but could be any 3rd party issuer.

Microsoft CA

Browse to the CA then click ‘Request a certificate’.

On the next screen Click ‘advanced certificate request’

Once the next screen loads click ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.’

Ensure you are using the correct certificate template. To prepare the template see VMware KB 2112009

Paste the text obtained from the csr file with everything from and between —–BEGIN CERTIFICATE REQUEST  and  END CERTIFICATE REQUEST —–
Then click submit.

The certificate is issued immediately. Download both the new Certificate and the Certificate Chain and make sure to select Base64. Save these with a relevant name to a location that you can easily find later.

You’ll notice that the Chain certificate was downloaded in *.p7b format so you need to do a quick conversion to get it into BASE64. To do that double click on the downloaded chain.p7b certificate on the desktop. Then in the opened certificate click on Details then Copy to file.  Click Next in the wizard, select Base-64 encoded X.509 (.CER), and then click Next. Save the file as chain.cer

For the certificate import to VMCA both certificates need to be in *.crt format. Change the file extension for both *.cer files to *.crt

Import New Certificates

We can now switch back to the Certificate Management Screen in vCenter. Select ‘Replace with Certificate generated from vCenter Server’ This is somewhat confusing as it is was the CSR we generated from vCenter and not the certificate.

The last option on screen would be used if we had chosen to create a CSR and private key externally, say from OpenSSL.

Click Next.

We need to browse to the relevant certificate files we downloaded and renamed. Put the vCenter certificate into the Machine SSL box and the chain certificate into the Chain box. Click Replace when ready, bearing in mind that vCenter services will be restarted and connectivity will be briefly lost.

If you made a mistake or the certificates are in the wrong format you will get an error and the existing certificate is untouched.

After a few moments the vSphere Client will restart and when you attempt to login you will see that the browser now shows the new custom certificate as valid.

The official documentation on Managing Certificates with the vSphere Client can be found on the VMware Documentation website