Change the Machine SSL Certificate of
vCenter Server

You can change the machine SSL certificate of a
vCenter Server
system by using the TLS and the TLS CSR interfaces of the
vSphere Automation
API.
  • Verify that the root certificate of the CA you are going to use is available on your machine.
  • Verify that you have the required privileges:
    CertificateManagement
    Administer
    and
    CertificateManagement
    Manage
    .
The machine SSL certificate is used for server verification and for secure communication such as HTTPS or LDAPS. The machine certificates are the human-facing certificates in vSphere. They are used to create an SSL socket on the server side to which SSL clients can then connect.
Changing the machine SSL certificate with one issued by an official or enterprise certificate authority is an essential part of the Hybrid Mode of vSphere certificate management. In this mode, you replace the machine SSL certificate and you leave the VMCA to manage all other certificates automatically. The VMCA is a just-enough internal certificate authority that comes integral with your vSphere deployment. It has been purpose-built to serve the certificate needs of your vSphere environment. For more information on vSphere certificate management, see the
vSphere Authentication
guide.
  1. Retrieve the current machine SSL certificate of your
    vCenter Server
    system by calling the
    get
    function of the
    Tls
    interface.
  2. Generate a certificate signing request (CSR) by using the
    TlsCsr
    interface.
    1. Create a new object of type
      TlsCsrTypes.Spec
      by using the following parameters/methods.
      Parameter/Method
      Description
      setCountry
      /
      country
      Specify the country in the certificate subject.
      setStateOrProvince
      /
      state_or_province
      Specify the state or province in the certificate subject.
      setLocality
      /
      locality
      Specify the locality in the certificate subject.
      setOrganization
      /
      organization
      Specify the organization in the certificate subject.
      setOrganizationUnit
      /
      organization_unit
      Specify the organization unit in the certificate subject.
      setEmailAddress
      /
      email_address
      Specify the email address in the certificate subject.
    2. Create the CSR by calling the
      create(TlsCsrTypes.Spec)
      method and passing the CSR specification.
    The system returns the CSR in PEM format.
  3. Save the CSR to your machine.
  4. Send the CSR to the certificate authority of your choice.
    The private key corresponding to the public key generated by the CSR is stored in the
    vCenter Server
    keystore and does not leave your system.
  5. Save the issued third-party machine SSL certificate to your machine.
  6. Set the new custom certificate to your
    vCenter Server
    system by using the
    Tls
    service.
    1. Create a new object of type
      TlsTypes.Spec
      by using the following parameters/methods.
      Parameter/Method
      Description
      setCert
      /
      cert
      The Machine SSL certificate in PEM format. You must also paste the intermediate CA certificate, if you have one.
      setRootCert
      /
      root_cert
      The third-party root CA certificate in PEM format. You must also paste the intermediate CA certificate, if you have one.
      You do not provide the private key as it was generated with the CSR and is already present on your system.
    2. Set the new certificate to your
      vCenter Server
      system by calling the
      set(TlsTypes.Spec)
      method and passing the TLS specification as an argument.
    Restart of the
    vCenter Server
    services after the certificate change is not necessary.
The certificate replacement is completed seamlessly and all your sessions remain active.
Python
  • Generating a Certificate Signing Request (CSR) from
    vCenter Server
    This example shows how to generate a certificate signing request (CSR) from
    vCenter Server
    . The generation of a CSR is an important step in the workflow to change the machine SSL certificate of your
    vCenter Server
    system with a third-party or enterprise certificate. The example is based on the code in the
    gencsr.py
    sample file.
    For related code samples, see the
    vsphere-automation-sdk-python
    VMware repository at GitHub.
    """ Description: Demonstrates the generation of the Certificate Signing request for the MACHINE SSL certificate Sample Prerequisites: - The user invoking the API should have the CertificateManagement.Administer or the CertificateManagement.Manage privilege. """ parser = sample_cli.build_arg_parser() parser.add_argument('--keysize', help='Key size used to generate the private key.' 'keysize will take 2048 bits if not modified') parser.add_argument('--commonname', help='Common name of the certificate subject field.' 'common name will take the Primary Network Identifier(PNID) if not modified.') parser.add_argument('--organization', required=True, help='Organization field in certificate subject.') parser.add_argument('--organizationunit', required=True, help='Organization unit field in certificate subject') parser.add_argument('--locality', required=True, help='Locality field in the certificate subject') parser.add_argument('--stateorprovince', required=True, help='State field in certificate subject') parser.add_argument('--country', required=True, help='Country field in the certificate subject') parser.add_argument('--emailaddress', required=True, help='Email field in Certificate extensions') parser.add_argument('--subjectaltname', help='subjectaltname is list of Dns Names and Ip addresses') args = sample_util.process_cli_args(parser.parse_args()) session = requests.session() session.verify = False if args.skipverification else True # Login to vCenter vsphere_client = create_vsphere_client(server=args.server, username=args.username, password=args.password, session=session) common_name = args.commonname organization = args.organization organization_unit = args.organizationunit locality = args.locality state_or_province = args.stateorprovince country = args.country email_address = args.emailaddress if args.keysize is None: key_size = args.keysize else: key_size = int(args.keysize) if args.subjectaltname is None: subject_alt_name = args.subjectaltname else: subject_alt_name = args.subjectaltname.split(',') """ Create the spec for input to the API """ spec = TlsCsr.Spec(key_size=key_size, common_name=common_name, organization=organization, organization_unit=organization_unit, locality=locality, state_or_province=state_or_province, country=country, email_address=email_address, subject_alt_name=subject_alt_name) print('Generating the certificate signing request based on the information provided in the spec ') print(vsphere_client.vcenter.certificate_management.vcenter.TlsCsr.create(spec))
  • Setting a New Machine SSL Certificate to
    vCenter Server
    This example shows how to set a a third-party or enterprise machine SSL certificate to your
    vCenter Server
    system. You must have already completed the step of generating a certificate signing request (CSR) and obtained the new certificate from an enterprise or third-party certificate authority. This example is based on the code in the
    replace_tls_certificate.py
    sample file.
    For related code samples, see the
    vsphere-automation-sdk-python
    VMware repository at GitHub.
    """ Description: Demonstrates the replacement of the MACHINE SSL certificate with a custom certificate signed by an external third party CA. Sample Prerequisites: - The user invoking the API should have the CertificateManagement.Administer privilege. """ parser = sample_cli.build_arg_parser() parser.add_argument('--cert', required=True, help='Leaf certificate for replace the MACHINE SSL certificate.') parser.add_argument('--key', help='The private key.' 'Not required if the gencsr api was used to generated the certificate signing request.') parser.add_argument('--rootcert', help='The root certificate and the intermediate root certificates ' 'required to establish the chain of trust.' 'Not required if the certificates are already present in the vCenter.') args = sample_util.process_cli_args(parser.parse_args()) session = requests.session() session.verify = False if args.skipverification else True # Login to vCenter vsphere_client = create_vsphere_client(server=args.server, username=args.username, password=args.password, session=session) cert = args.cert.encode(encoding='utf-8').decode('unicode_escape') if args.key is not None: key = args.encode(encoding='utf-8').key.decode('unicode_escape') else: key = args.key if args.rootcert is not None: root_cert = args.rootcert.encode(encoding='utf-8').decode('unicode_escape') else: root_cert = args.rootcert """ Create the spec for input to the API """ spec = Tls.Spec(cert=cert, key=key, root_cert=root_cert) print('The MACHINE SSL certificate will be replaced with the custom certificate ') vsphere_client.vcenter.certificate_management.vcenter.Tls.set(spec)