申请前确保Windows Server IIS服务正常开启80端口。
5.1 登录MADCS打开并登录 Microsoft Active Directory Certificate Services 页面
5.2 申请证书点击【Request a certificate】
5.3 选择证书类型选择【advanced certificate request】
5.4 提交CR将使用certificate-manager创建的CSR内容粘贴到Saved Request下。vmca_issued_csr.csr文件内容
-----BEGIN CERTIFICATE REQUEST-----MIIEKTCCApECAQAwXTELMAkGA1UEAwwCQ0ExCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZWTXdhcmUxDDAKBgNVBAsMA0dTUzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJnz4p1/Q1n9az3SjTfgCL6hZtk6cIGngJOtX6f/prqp9RUpucBQhSwt8GSwOqW5PtjqXrcs6MgQRfqjGn8T6LsyCcZgxA5SaDgsncq2xgZs9VU9gLT/+pp65LrFerlZGHKE6wD1B49GhnGFr4aJglLwQHxDz0b2dIdimsaLRt2ro70PX+xMEeZ4ZScjcooOHfSVY3oLWGlxHhPgcAgah4wSXowKcPBmUPMccdzSHxTvakkJeDf80CW3GGb0dEKoyu9JKNQ04frHzM4XkSymo+X4rV1OIN4XinRhER6v4vQY70fQc5gdluYDUS2thAdGod0EQc3M7wkN3xpAWLUM6w7Yxv0C8ZZbzaXv1q+E0HCdBEOxtaSHgfdSdPcU5ARtAsgBhxRY6iqpl/ekD+5JGLesSGvVkn8r0W5FQkwJ2HaTu82HNevJyMX8Y6o87Kkb02BwzYkiW1XQpRq+7VTRbUwqGv3Q5xPK3TwDO2NPcfhWzjb9N4jux0nZHrHJuNhCGwIDAQABoIGGMIGDBgkqhkiG9w0BCQ4xdjB0MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMC8GA1UdEQQoMCaBDmVtYWlsQGFjbWUuY29thwTAqAEDgg52YzctMy55ei5sb2NhbDAdBgNVHQ4EFgQU/J/wuecPFCu5YDZvIQHjS/m0eRowDQYJKoZIhvcNAQELBQADggGBADuCyfaqPu+S2z+CFPvaTDci5HOlBrYRktCNH1930eZpq66HiXCgFXdndkzJ19NIOILj7b6SbqfDZo02zp6Cn7Z+7PrFDUxGBueboSE8D7SLyAej4npdz0D9OQjoz0tGEISHJdon6bZmolEb2sOzOn/Ga31tfz8YTjM2+TGHLBAaDsaGAGLfXWrnOFI6ExOc3qMtOkiBMTK8mSQJu57mkr5exmq5XlNwBrnpICL7ASTx3TXrJOEj3WKkMrDl18v9ufZefhqVZsYKvvc1KL4S27gUnPANSQiKAN21qcyBn0cOq8uL8oFX1zilJ9rWE12Wy27hz1b2WnPM656IPTFZ/habb0ncxVZzT9PZ5HX9yF5oomKXeQ5I6fLaOh4xIfYsqZZTzPFVOoMH8Zy6S0yyVGGZGaPsPIDnQI2/KYIb9mABGEo0F8UMOPaje6QB4EbPsXQDxbsvsgsls+1nkNBTfI7ytbO1j2bO8/goekdCkuq1cUaNO9GDdQ0v+YF03+aJ3w==-----END CERTIFICATE REQUEST-----然后选择刚才创建的 vSphere 8.x for VMCA 模板,点击 Submit.
5.5 下载 Base 64 编码的证书选中 Base 64 encoded,先点击 Download certificate chain,下载的文件名为 certnew.p7b,将其重命名为 cachain.p7b
上图p7b尚未修改名称。
5.6 将证书链传入VC这里我们使用WinSCP进行传送。将cachain.p7b传入VC的 /root/vmca
6. 使用 企业CA签发的 VMCA 证书 替换 vSphere 默认 VMCA 证书 6.1 确认证书文件SSH 到 VCSA 中,cd 到 /root/vmca 目录,此时该目录存在3个文件
将 cachain.p7b转换为 cachain.cer
openssl pkcs7 -print_certs -in cachain.p7b -out vmca_issued.cer再次查看 /root/vmca 目录,此时该目录存在4个文件
需要用到的是
自签名根证书链:vmca_issued.cer自定义密钥:vmca_issued_key.key 6.2 替换默认 vSphere 证书再次使用certificate-manager工具替换默认证书
root@vc7-3 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| || *** Welcome to the vSphere 8.0 Certificate Manager *** || || -- Select Operation -- || || 1. Replace Machine SSL certificate with Custom Certificate || || 2. Replace VMCA Root certificate with Custom Signing || Certificate and replace all Certificates || || 3. Replace Machine SSL certificate with VMCA Certificate || || 4. Regenerate a new VMCA Root Certificate and || replace all certificates || || 5. Replace Solution user certificates with || Custom Certificate || NOTE: Solution user certs will be deprecated in a future || release of vCenter. Refer to release notes for more details.|| || 6. Replace Solution user certificates with VMCA certificates || || 7. Revert last performed operation by re-publishing old || certificates || || 8. Reset all Certificates ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|Note : Use Ctrl-D to exit.Option[1 to 8]: 2Do you wish to generate all certificates using configuration file : Option[Y/N] ? : YPlease provide valid SSO and VC privileged user credential to perform certificate operations.Enter username [Administrator@vsphere.local]:Enter password:certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : YPress Enter key to skip optional parameters or use Previous value.Enter proper value for 'Country' [Previous value : CN] :Enter proper value for 'Name' [Previous value : CA] :Enter proper value for 'Organization' [Previous value : VMware] :Enter proper value for 'OrgUnit' [optional] : GSSEnter proper value for 'State' [Previous value : Beijing] :Enter proper value for 'Locality' [Previous value : Beijing] :Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.3Enter proper value for 'Email' [Previous value : email@acme.com] :Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc7-3.yz.localEnter proper value for VMCA 'Name' :vc7-3.yz.local1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificateOption [1 or 2]: 2Please provide valid custom certificate for Root.File : /root/vmca/vmca_issued.cerPlease provide valid custom key for Root.File : /root/vmca/vmca_issued_key.keyYou are going to replace Root Certificate with custom certificate and regenerate all other certificatesContinue operation : Option[Y/N] ? : YStatus : 100% Completed [All tasks completed successfully]此时 VMCA 根证书的更新状态是100%成功完成。
6.3 验证自签名证书登录 vSphere Client,Menu > Administration > Certificastes > Certificate Management,找到 VMware Certificate Authority,查看 VMCA_ROOT_CERT 的信息,点击VIEW DETAILS
同时 Machine SSL Certificate 证书也被刷新
关联博文1.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅰ—— 生成 CSR 2.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅱ—— 创建和添加证书模板 3.企业 CA 签名证书替换 vSphere VMCA CA 证书Ⅲ—— 颁发自签名与替换 VMCA 证书
参考资料博文封面图片来自: https://blogs.vmware.com/vsphere/2019/06/10-things-about-vsphere-certificate-management.html
