替换拓扑图

证书关系示意图

默认情况下，VMCA 与 Machine SSL的关系是

本系列博文要实现的拓扑是

说明 & 关联博文

因为使用企业 CA 直接签名 Machine SSL 证书替换 vSphere 证书步骤较多且繁琐，为了内容关联性和可读性，关于这个自签名证书系列的博文，博主分为4篇，这是第一篇，剩余4篇会陆续发布。

本篇博文主要描述了如何在 vCenter Server 系统中使用实用工具 certificate-manager 生成自签名证书需要的证书签名请求 CSR。适用的 vSphere 版本为 vSphere 7.0.x 和 vSphere 8.0.x

1.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅰ—— 生成 CSR
2.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅱ—— 创建和添加证书模板
3.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅲ—— 颁发自签名与替换证书
4.企业 CA 签名证书替换 vSphere Machine SSL 证书Ⅳ—— 替换默认证书

1. 默认证书截图

在替换vSphere 默认 Machine SSL证书前，我们通过 vSphere Client 确认该证书的信息。

登录 vSphere Client，Menu > Administration > Certificastes > Certificate Management，找到 Machine SSL Certificate，点击VIEW DETAILS

2. 使用certificate-manager生成CSR

2.1 创建存放CSR的目录

如果不创建特定目录，在后续步骤指定目录时必须要指定已存在目录，否则程序会报错。

mkdir /root/machine_ssl

2.2 记录PNID和IP

# 获取VC PNID
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
# 获取IP地址
ip address

2.3 生成CSR

root@vc7-3 [ ~ ]# mkdir /root/machine_ssl
root@vc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|                                                                     ||      *** Welcome to the vSphere 8.0 Certificate Manager  ***        ||                                                                     ||                   -- Select Operation --                            ||                                                                     ||      1. Replace Machine SSL certificate with Custom Certificate     ||                                                                     ||      2. Replace VMCA Root certificate with Custom Signing           ||         Certificate and replace all Certificates                    ||                                                                     ||      3. Replace Machine SSL certificate with VMCA Certificate       ||                                                                     ||      4. Regenerate a new VMCA Root Certificate and                  ||         replace all certificates                                    ||                                                                     ||      5. Replace Solution user certificates with                     ||         Custom Certificate                                          ||         NOTE: Solution user certs will be deprecated in a future    ||         release of vCenter. Refer to release notes for more details.||                                                                     ||      6. Replace Solution user certificates with VMCA certificates   ||                                                                     ||      7. Revert last performed operation by re-publishing old        ||         certificates                                                ||                                                                     ||      8. Reset all Certificates                                      ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:   # 以实际的SSO域名为准
Enter password:                                 # 输入密码1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificateOption [1 or 2]: 1                              # 选择1，生成 Machine SSL 证书的证书签名请求和密钥。Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /root/machine_sslPlease configure certool.cfg with proper values before proceeding to next step.Press Enter key to skip optional parameters or use Default value.Enter proper value for 'Country' [Default value : US] : CNEnter proper value for 'Name' [Default value : CA] :Enter proper value for 'Organization' [Default value : VMware] :Enter proper value for 'OrgUnit' [optional] : GSSEnter proper value for 'State' [Default value : California] : BeijngEnter proper value for 'Locality' [Default value : Palo Alto] : BeijingEnter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.3 # 填VC IPEnter proper value for 'Email' [Default value : email@acme.com] : yaoz@vmware.comEnter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc7-3.yz.local # 填VC PNIDEnter proper value for VMCA 'Name' :vc7-3.yz.local # 填VC PNID
2023-10-17T10:02:18.565Z  Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/machine_ssl/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2023-10-17T10:02:19.544Z  Done running command
2023-10-17T10:02:19.545Z  Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsr', '--privkey', '/root/machine_ssl/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/root/machine_ssl/vmca_issued_csr.csr']
2023-10-17T10:02:21.126Z  Done running commandCSR generated at: /root/machine_ssl/vmca_issued_csr.csr1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate2. Exit certificate-managerOption [1 or 2]: 2                                     # 选择2退出程序。
root@vc7-3 [ ~ ]#

蓝色框是shell命令，红色实线框为必填项，红色虚线框为选填框。

2.4 验证CSR

cd /root/machine_ssl
ls

参考资料

• Custom certificate on the outside, VMware CA (VMCA) on the inside – Replacing vCenter 6.0’s SSL Certificate
• 博文封面图片来自:https://blog.codavel.com/accepting-self-signed-certificates-in-okhttp3