VMCA 6.5 with Embedded PSC as an Intermediate CA

One of my most popular blog articles is the configuration of VMCA 6.5 as an Intermediate CA but the article is specific to environment’s with an External Platform Services Controller (PSC) and configuring it prior to deploying the VCSA for vCenter Server. I have received a lot of great feedback from this article and numerous requests to demonstrate how to do this on a vCenter Server (VCSA) with an Embedded PSC. So I’ve decided to do exactly that…so here it is!

Just a quick recap before we get started, I will be using the same Microsoft PKI infrastructure running on Windows Server 2016. Here are two articles to help you get started with that portion of the infrastructure. The first one below discussed Server 2012 R2 but you can still accomplish these tasks on Server 2016.

Enterprise PKI with Window Server 2012 R2

VMware KB 2112009 – Creating MS CA Templates

There is a very important VMware KB article (2145544) that you should review prior to starting this procedure. The difference between my first VMCA 6.5 article and this one is we are now using a VCSA with Embedded PSC. Therefore, vCenter Server is already deployed and we are going to change some certificates. If you followed my other blog article and attempted to accomplish it using an Embedded PSC you most likely encountered some errors. The way we fix this is we are going to create our certificate request (CSR) using OpenSSL instead of creating it using the native VCSA Certificate Manager. The VMware KB article covers the steps to perform this for both Windows vCenter Server and the vCenter Server Appliance.

We are going to start immediately with creating the CSR using the procedure outlined for the VCSA (vCenter Server Appliance). The only difference I am doing differently from the KB article is I created a ‘certs’ folder inside the /tmp directory on my VCSA appliance. I created the folder because it helps me stay a little more organized.

I am also using vCenter Server 6.5 Update 1 (Build 8024368) so things may be a little different compared to my other VMCA 6.5 post.

Let’s create the certificate request!

  1. Open a Putty session with the VCSA appliance and create the following ‘vmca_root.cfg’ file. This file will contain the information we will need for our certificate request.01 - CSR
  2. Using nano or vi, add the following information to the certificate request configuration file. This information is also provided in the KB article above if you need to reference it. Save the file.
    02 - CSR content
  3. Next we are going to use OpenSSL to generate the certificate request. There will be two files; .csr file and a .key file. I create the certificate request for 2 years (730 days) versus the default one year (365 days). I also specify a longer RSA key length instead of the default 2048. (both just because I want to 🙂 )
     root@vcsa [ ~ ]# openssl req -days 730 -new -newkey rsa:4096 -keyout /tmp/certs/vmca.key -out /tmp/certs/vmca.csr

    03 - OpenSSL.png

  4. The command executes successfully and the new .csr and .key files are now in my /tmp/certs/ directory on my VCSA.
    04 - OpenSSL Success.png
  5. Next open up WinSCP and copy the .CSR file over to your workstation.
    05 - WinSCP.png
  6. Open the .csr file in notepad and copy the contents (thumbprint).
    06 - Copy CSR contents.png
  7. I open my web browser for my Microsoft Enterprise Subordinate CA that I have and Request a certificate.
    07 - Request Certificate.png
  8. I choose ‘advanced certificate request’ and the window will automatically proceed to the next step.
    08 - Adv Cert Request.png
  9. Paste the certificate request thumbprint that you copied into the ‘Saved Request’ section. Choose the ‘vSphere 6.5 VMCA’ template and then click Submit.
    09 - SubRequest.png
  10. Next select the ‘Base 64 encoded’ option and download both the certificate and certificate chain. I have a local ‘_UTILS\Certs\’ directory on my workstation where I save everything that I am working with.
    10 - Certificate Download.png
  11. Right click the certnew.p7b (certificate chain) and select Open. Certificate Manager will open the certificate and you can see all three (3) certificates. Right click each certificate and select All Tasks > Export and follow the wizard to export each certificate to a local directory and use the Base-64 encoded X.509 (.CER) option. When I am finished I have the following three (3) certificates saved locally on my workstation.

    This slideshow requires JavaScript.

  12. Next I need to merge these three (3) certificates into one (1) certificate. I do that from my Windows workstation using the following command from an elevated command prompt. When you merge the certificates they MUST BE in the following order:
    <Certificate of VMCA>
    -----END CERTIFICATE-----
    <Certificate of Subordinate CA>
    -----END CERTIFICATE-----
    <Certificate of Root CA>
    -----END CERTIFICATE-----

    13 - Merge Certificates.png

  13. Verify that the certificate is created and saved to the directory. You can also verify that all three (3) have been merged properly by opening the certificate in notepad and you should see all three (3) thumbprints.
    14 - New VCSA Cert.png
  14. Next return to the WinSCP session and copy the new certificate back to the VCSA appliance.
    15 - Copy Cert.png
  15. Return to the VCSA putty session and launch the Certificate Manager using the following command:
    root@vcsa [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager

    16 - Certificate Manager.png

  16. Select Option 2 to ‘Replace VMCA Root Certificate…’ and proceed through the prompts. What you enter during the prompts is not important as you will ignore that and use your custom certs in a brief moment. You will then come to a part in the wizard where you will have two (2) options. One to Generate the CSR Request and Keys and a second to Import custom certificates and keys and to replace existing VMCA root signing certificate. We are going to use Option 2 here because we already have everything from OpenSSL and our Microsoft PKI.
    17 - Import Custom Cert.png
  17. Specify the path to the new custom certificate and key and simply allow some time for the Certificate Manager to complete the process.
    18 - Cert Paths.png
  18. The certificate update process completes!
    19 - Certificates Updated.png
  19. Next let’s verify the certificates by opening a web browser and enter the following URL for the PSC, select Certificate Management and then provide the SSO admin credentials one more time and click Submit.

    20 - Certificate Mgmt.png

  20. Select the three (3) various tabs for Machine Certificates, Solution User Certificates and Trusted Root Certificates and click the ‘Show Details’ option to view the certificate.

    This slideshow requires JavaScript.


So that is pretty much all there is to it when configuring the VMCA on a VCSA appliance with an Embedded PSC as an Intermediate CA in your existing Microsoft PKI. The procedure was nearly identical as when you configure the VMCA on an external PSC except you need to use OpenSSL to generate the certificate request and keys versus using the local Certificate Manager.

I hope this helps all of you out there attempting to perform this procedure. If you have any questions or comments please let me know.

I plan on providing procedures for VCSA 6.7 so stay tuned and subscribe to my blog!

Useful Links

Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates (VMware Docs)

Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) (VMware Docs)

VMware KB 2145544 – Replacing the vCenter Server’s VMCA certificate with a Subordinate Certificate Authority certificate fails with the error: Error Message : Not a CA Cert (2145544)

VMCA 6.5 as an Intermediate CA (my previous blog for External PSC for 6.5)


2 thoughts on “VMCA 6.5 with Embedded PSC as an Intermediate CA

  1. Firstly, thanks for all of the posts.
    I have come a bit unstuck and just seem to constantly get the Status: Failed, Error Code: 70009, Error message: Key I/O failure. I think that part of it may be down to the PEM Passphrase message when I execute point 3. Your instructions make no mention of being prompted to enter a PEM passphrase, so I just made one up and then am asked to continue entering the information that I already used in the vmca_root.cfg file. Do you know where I am going wrong? Any assistance will be appreciated. Thanks. T


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s