This post will run through the steps needed to add an SSL certificate to your VMware VCSA or vCenter server from a Windows Certificate Authority or CA
1. Download open SSL from here.
2. Use the below as your template for the certificate, changing the parts in red to match your systems:
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:MyVSCAserver1, IP:10.20.20.36, DNS: MyVSCAserver1.mydomain.com [ req_distinguished_name ] countryName = UK stateOrProvinceName = London localityName = London 0.organizationName = MyCompany organizationalUnitName = MyCompany commonName = MyVSCAserver1.mydomain.com
3. Paste the above into the C:\OpenSSL-Win32\bin\openssl.cfg file (after removing the existing contents).
4. Run the below to create a certificate request from the information you gave above and create a key file:
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
5. Convert to RSA with this command:
openssl rsa -in rui-orig.key -out rui.key
6. Go to the Microsoft CA and open a command prompt. Put the rui.csr file in a folder you can access on the CA server.
Run the following command:
certreq -submit -attrib "CertificateTemplate:WebServer" rui.csr
7. Select the CA:
8. Save the certificate as rui.cert
9. Connect to the host that vCenter sits on and shut down vCenter
10. Take a snapshot
11. Start vCenter up again an click Menu> Administration
12. Click certificate management and enter FQDN and login details, then click login and manage certificates
13. Scroll down to trusted root certificates> click add>click Browse and then select your root certificate for your CA
14. Click Add
You should now have a 2nd root certificate visible
15. Scroll up to the machine SSL certificate and click Actions/Replace
16. Click browse and select the certificate we generate earlier from the CA. Then select the rui.key file that we generated at the beginning and click Replace
17. You should see a success message
18. Go back to the ESXi host that vCenter is on and reboot vCenter
19. The certificate should now show as trusted and you wont get any more warnings