vCenter Server Appliance 6.7 as Sub CA with Easy-RSA


Ubuntu 20.04 CA with Easy-RSA

Install and setup working environment

sudo apt update
sudo apt install easy-rsa
mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 ~/easy-rsa
cd ~/easy-rsa
cp vars.example vars

Edit vars, uncomment this section and provide your settings

set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"

Initialize the PKI and build the CA

./easyrsa init-pki
./easyrsa build-ca

SSH to vmca and launch bash

shell

Change root’s default shell to allow transferring in and out files

chsh -s /bin/bash root

Prepare to replace Certificates

/usr/lib/vmware-vmca/bin/certificate-manager

Select Option 2

Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates

Choose Yes to generate certificates with a config file

Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

Provide your credentials
Update certificate parameters for your usage

Select Option 1

Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate

Provide a path to save the certificate request
/root

Transfer the Certificate Signing Request to the Easy-RSA CA

From the CA

sftp root@vmca.example.local
get vmca_issued_csr.csr

Import the CSR

./easyrsa import-req vmca_issued_csr.csr vmca

Sign the request as a CA to make it a subordinate

./easyrsa sign-req ca vmca

Create a certificate bundle that includes the root CA and sub CA

cat pki/issued/vmca.crt pki/ca.crt > vmca-bundle.crt

Transfer the bundle certificate to vmca

sftp root@vmca.example.local
put vmca-bundle.crt

Critical STEP. Wait 1 hour from the CSR creation before trying to import the new certificate or you will get a time error.

If your session on the vmca didn’t time out, you can select option 1, then skip down to “Providing Certificates”

Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate


If your session did timeout, re-launch the certificate manager and select option 2 again.

Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates

Skip reconfiguring the config file

certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : N

Select option 2

Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Providing Certificates

Please provide valid custom certificate for Root.
File : /root/vmca-bundle.crt

Please provide valid custom key for Root.
File : /root/vmca_issued_key.key


Continue to begin the replacement

You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y


Hope for no errors like I did so many times đŸ™‚ and wait a while for it to complete.

Get site nameCompleted [Replacing Machine SSL Cert…]

Update VAMI with the CA certificate bundle

Copy the bundle certificate to the the VAMI config directory

cp /root/vmca-bundle.crt /etc/applmgmt/appliance/ca.crt

Insert the CA configuration into the lighttpd config by adding the ssl.ca-file line

vi /opt/vmware/etc/lighttpd/lighttpd.conf

ssl.engine = "enable"
ssl.pemfile = "/etc/applmgmt/appliance/server.pem"
ssl.ca-file = "/etc/applmgmt/appliance/ca.crt"


Restart lighttpd

/sbin/service vami-lighttp restart


Wait 24 hours before trying to add any ESXi hosts.

Leave a comment

Your email address will not be published. Required fields are marked *