VMCA 6.5 Update 2 as a Subordinate CA

We are going to walk through how to create a Subordinate CA from your own internal CA. We’ll be using Microsoft for our CA but you are welcome to use your own.

One of the reasons for this particular guide is just due to some changes I noticed in Update 2 that may not be clear when using older documentation. I’ve retrofitted the older documentation that I found so hopefully this is easier to follow.

Video Demonstration


First, we are going to take VMware KB2112009 and slim it down.

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.5 Update 2

Note: If you have a Root CA (offline) and a Subordinate CA (online), the instructions here will need to be carried out on the Subordinate CA. After all, he’s the only one online. Right? 😉

If you want to buck normal convention and only have the Root CA be online, you will do these steps on him instead.

  1. Click Start > Run and then type: certtmpl.msc
  2. Find the Subordinate Certificate Authority template and right click it and select Duplicate Template
  3. Change the Certificate Authority to Windows Server 2008
  4. Click the General tab
  5. Change the Template display name to: vSphere 6.x VMCA
  6. Change the Validity period to 10 years and the Renewal period to 5 years (Things to note here: You can choose values here to conform to your own companies requirements. Further, when the VMCA issues certificates, the validity period is 2 years by default regardless of what you put here – this seems to be new in Update 2).
  7. Click the Extensions tab
  8. Select Key Usage and click Edit
  9. Adjust the settings to conform to the following:

  1. Click OK (or Cancel if you did not have to make changes)
  2. Click OK to save the template
  3. Click Start > Run and then type: certsrv.msc
  4. Expand the left pane
  5. Right click Certificate Templates and click New > Certificate Template to Issue
  6. Locate vSphere 6.5 VMCA and select it and then click OK

Configuring the PSC to be a Subordinate CA in vSphere 6.5 Update 2

Now we need to create a CSR. Generally you’d SSH into your PSC and use a tool called certificate-manager. It’s a text driven menu tool that doesn’t work well. This has been the case for as long as I can remember it being available. So we are going to cut through that to get this done properly.

  1. SSH into your PSC as root
  2. You may have to type shell in order to get to a prompt.
  3. Type the following to enable bash: chsh -s /bin/bash root
  4. Lets create a certs directory to store all of our goodies: mkdir /certs
  5. So, now we have choices.
    • You can edit /var/tmp/vmware/certool.cfg manually. It will end up looking like this:

Country = US
Organization = Contoso
OrgUnit = Contoso, Inc.
State = Washington
Locality = Seattle
#IPAddress =
Email = admin@contoso.ad
Hostname = psc01.contoso.ad

Feel free to edit this file manually with vi. Change the fields that you need to change for your organization and then save it.

  • Your other option is to run the certificate-manager tool and then kill the tool after it’s updated the certool.cfg file. So, lets run through that real quick.
  1. Type the following to get started with the certificate-manager tool (it is in your best interest to make your SSH window bigger, or it will look all jumbled): /usr/lib/vmware-vmca/bin/certificate-manager
  2. You are going to type 2
  3. Now type Y
  4. It will now ask you for your SSO username and password. This is going to be something like administrator@vsphere.local (or whatever variation you used).

Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@vsphere.local
Enter password:

  1. If it the following, type Y

certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? :

  1. It will now start asking you the following questions. I’ve highlighted (in red) the answers I gave mine. You will do the same but adjust these to fit your company instead:

Enter proper value for ‘Country’ [Default value : US] :

Enter proper value for ‘Name’ [Default value : CA] : CONTOSO-PSC-CA01

Enter proper value for ‘Organization’ [Default value : VMware] : Contoso

Enter proper value for ‘OrgUnit’ [Default value : VMware Engineering] : Contoso, Inc.

Enter proper value for ‘State’ [Default value : California] : Washington

Enter proper value for ‘Locality’ [Default value : Palo Alto] : Seattle

Enter proper value for ‘IPAddress’ (Provide comma separated values for multiple IP addresses) [optional] :

Enter proper value for ‘Email’ [Default value : email@acme.com] : admin@contoso.com

Enter proper value for ‘Hostname’ (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : psc01.conseco.ad  <– This needs to be the FQDN of your PSC

Enter proper value for VMCA ‘Name’ :CONTOSO-PSC-CA01

  1. Now. STOP! Let me tell you a secret. If you continue with the certificate-manager tool and let it create the CSR, your certificate will actually end up wrong (quite the bug and quite frustrating if you don’t know a way around it). Instead of all those values you entered, it will end up with VMware defaults. Even though it updates the certool.cfg file correctly, the actual CSR (and subsequent certificate) will have fields like the following:

Country = US
Name = CA
Organization = VMware
OrgUnit = VMware, Inc.
State = California
Locality = Palo Alto
#IPAddress =
Email = admin@vmware.com
Hostname = psc01.contoso.ad

This bug may have been fixed by the time you read this, but bottom line, the certtool command below always works. 🙂

So, at this point, we want to hit CTL-C to break out of the certificate-manager tool. It’s already written to the /var/tmp/vmware/certool.cfg file.

Let’s type the following just to verify that the certool.cfg file is correct: cat /var/tmp/vmware/certool.cfg

  1. Now that we have the certool.cfg file correct and you are at a bash prompt, we can move on to actually creating the CSR properly. Type the following: /usr/lib/vmware-vmca/bin/certool –initcsr –privkey=/certs/vmca_issued_private_key.key –pubkey=/certs/vmca_issued_public_key.key –csrfile=/certs/vmca_issued_csr.csr –config=/var/tmp/vmware/certool.cfg
  2. Now type: cd /certs
  3. Type: ls
  4. The following files should be present:

vmca_issued_csr.csr   vmca_issued_private_key.key   vmca_issued_public_key.key

  1. Type: cat vmca_issued_csr.csr
  2. You are going to copy that text and submit it to the CA you created earlier. Generally this is done via a web page if you are using the Microsoft CA we setup earlier. http://subca01/certsrv  <– Change the name to point to your CA server that you configured.
  3. The following will be instructions using the Microsoft CA. You can adapt them to whatever CA you have installed in your organization.
  4. Once at that URL, click Download a CA certificate, certificate change, or CRL
  5. Select Base 64
  6. Click Download CA certificate chain and save the file somewhere so you can get at it. Generally this file will be called certnew.p7b
  7. Double click the file so you can expand the left pane so you can see a folder called Certificates. Select that folder.
  8. Now, depending on how many CAs you have (i.e. just a Root CA, or a Root CA with a Sub CA) you will see a number of certs in the right pane. So, lets say you have a Root CA and a Sub CA. You will see two certificates here.
  9. You can expand the window to reveal which is which:

  1. Right click the Root Certification Authority and select All Tasks > Export
  2. Click Next
  3. Select Base-64 encoded X.509 (.CER) and then click Next
  4. Name the file: RootCA.cer
  5. Click Next > Finish
  6. Click OK
  7. Now, right click the Subordinate Certification Authority cert and select All Tasks > Export (if you don’t have one, skip to step 31)
  8. Click Next
  9. Select Base-64 encoded X.509 (.CER) and then click Next
  10. Name the file: SubCA.cer
  11. Click Next > Finish
  12. Click OK
  13. Now, back to the web page. Click Back on your browser to return to the main page and click Request a Certificate
  14. Click advanced certificate request
  15. Now, remember that CSR you had in your SSH session? We need that. You need to paste that into the Base-64-encoded certificate request box
  16. For the Certificate Template, make sure you select vSphere 6.x VMCA
  17. Click Submit
  18. Select Base 64 encoded and then click Download certificate and save it somewhere you’ll be able to remember.
  19. Open the certificate you just downloaded with NOTEPAD (Right click, Open With…)
  20. Open the SubCA.cer with NOTEPAD and copy the entire contents of that and put it at the bottom of the certificate file
  21. Open the RootCA.cer with NOTEPAD and copy the entire contents of that and put it at the bottom (below the SubCA) of the certificate file.
  22. Copy the entire contents of the certificate and go to your SSH session
  23. Type: vi psc01_full_cert_chain.crt
  24. Hit the letter i to enter insert mode
  25. Right click to paste the entire contents of that certificate file into the SSH screen
  26. Press ESC
  27. Type: :qw
  28. Now you have the full chain on the PSC! Good job!
  29. Now we are back to using the certificate-manager tool to complete the process. Type: /usr/lib/vmware-vmca/bin/certificate-manager
  30. Type: 2
  31. Type: N   (this says we don’t want to go through and reconfigure the certool.cfg file)
  32. Enter the SSO username and password just like you did before
  33. Once you are through, type 2 to import the certificate
  34. Type: /certs/psc01_full_cert_chain.crt
  35. Type: /certs/vmca_issued_private_key.key
  36. It will now ask you if you want to replace the certs. Type: Y
  37. It will now go through adding the cert to the VMCA as well as updating what is called the Machine Cert. There is a ton of old documentation out there that tells you to replace the Machine Cert. With Update 2 (and maybe even before), that process is done automatically.
  38. It may tell you to restart vCenter services. IF vCenter is attached to this PSC, restart services on vCenter as instructed. If this is a green field deployment and no vCenter is attached, there isn’t a need to do anything

Testing the PSC to validate the certificate

  1. Navigate to https://psc01.contoso.ad
  2. The next part is browser specific:
    • If you are using Chrome, press F12 and then find Security from the top menu and select it. You can click View Certificate and select the Certification Path tab to validate you have a valid hierarchy of certificates.
    • If you are using IE, click the Padlock and make sure it is saying the site is encrypted. You can click View Certificate and select the Certification Path tab to validate you have a valid hierarchy of certificates.
  3. The above steps assume the system you are on already trusts your full certificate authority hierarchy.

You should now have a PSC that will hand out Certificates. When vCenter attaches, it will pull a valid certificate for itself from the VMCA. You can test that in the same manner as we tested the PSC. Navigate to the https:// side of your vCenter server and validate the certificate. Validate the Validity Period to know when you have to update your certificates. By default, this is 2 years from the time in which vCenter was attached.

2 Replies to “VMCA 6.5 Update 2 as a Subordinate CA”

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.