If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA.

The certificate must meet the following requirements:

Key size: 2048 bits or more (PEM encoded)

PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

x509 version 3

For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.

SubjectAltName must contain DNS Name=<machine_FQDN>

CRT format

Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

1

Send CSRs for the following certificates to your enterprise or third-party certificate provider.

A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN)

Optionally, four solution user certificates for each embedded system or management node. Solution user certificates should not include IP address, host name, or email address. Each certificate must have a different certificate Subject.

Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each Platform Services Controller or management node.

2

List the TRUSTED_ROOTS and machine SSL stores.

vecs-cli store list 
a

Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.

b

Note down the Serial number, issuer, and Subject CN fields.

c

(Optional) With a Web browser, open a HTTPS connection to a node where the certificate will be replaced, check the certificate information, and ensure that it matches the machine SSL certificate.

3

Stop all services and start the services that handle certificate creation, propagation, and storage.

The service names differ on Windows and the vCenter Server Appliance.

Windows

service-control --stop --all
service-control --start VMWareAfdService
service-control --start VMWareDirectoryService
service-control --start VMWareCertificateService

vCenter Server Appliance

service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
4

Publish the custom root certificat, which is the signing certificate from the third-party CA.

dir-cli trustedcert publish --cert <my_custom_root>

If you do not specify a user name and password on the command line, you are prompted.

5

Restart all services.


service-control --start --all

You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to refresh these internal certificates:

Replace the vCenter Single Sign-On Signing certificate. See Refresh the Security Token Service Certificate.

Replace the VMware Directory Service certificate. See Replace the VMware Directory Service Certificate.