XCA = X Certificate and Key Management
Think if it as KeePass for Certificates vs standing up a windows server VM as a CA for lab use.
Download XCA – I am using the portable verison
https://www.hohnstaedt.de/xca/index.php/download
https://www.wojcieh.net/replace-vmware-esxi-6-ssl-certificate/ lists the process for ESXi, but generates CSR and needs a Microsoft Certificate. This process all done in XCA.
File / New Database / create the database file and master password.
- New Root Certificate.
- Click on the Certificate tab. Click on the New Certificate button.
- Choose the [default] CA template and click apply all.
- Click on the subject tab.
- Internal name and common name – root.my.lab The rest of the boxes are subjective.
- Click “Generate a new key”. The defaults are fine.
Click the Extensions tab. For the x509v3 Subject Alternative Name use DNS:root.my.lab You can add a common and add IP: if desired. Click OK.
- Click on the root.my.lab cert and then click the new certificate button.
Choose the root.my.lab as the “use this certificate for signing. Choose the [default] CA template and click apply all. - Click on the subject tab.
Internal name and common name – intermediate.my.lab
The rest of the boxes are subjective. - Click “Generate a new key”. The defaults are fine.
- Click the Extensions tab. For the x509v3 Subject Alternative Name use DNS:intermediate.my.lab You can add a common and add IP: if desired.
- Click OK. Click “Adjust date and continue”
- Click on the intermediate.my.lab cert and click new certificate.
intermediate.my.lab should already by picked for “use this certificate for signing”. the Empty template is fine.
Internal name and common name – vcsa2.my.lab
The rest of the boxes are subjective. - Click “Generate a new key”. The defaults are fine.
- Click on the Extensions tab. Change the time range to 3 year (up to you if 1 is ok)
For the x509v3 Subject Alternative Name use DNS:vcsa2.my.lab
You can add a common and add IP: if desired - Click the Key Usage tab. Select Digital Signature, Non Repudiation, Key Encipherment (left click on each one).
Check off “critical” under X509 Key Usage.
- Click on the vcsa2.my.lab cert. Click export. Name the file machine.crt and choose PEM (*.crt).
You can open the machine.crt in notepad++ and with windows explorer to validate the —–BEGIN CERTIFICATE—– text. - Click on the vcsa2.my.lab cert. Click export. Name the file machine-key.pem
Choose PEM + key (*.pem).
Open machine-key.pem with notepad++ and REMOVE line —–BEGIN CERTIFICATE—– and all lines underneath.
Save. - Click on the root.my.lab cert. Click export.
Choose PEM (*.crt) - Click on the intermediate.my.lab cert. Click export.
Choose PEM (*.crt) - Click on the intermediate.my.lab cert. Click export.
Name the file rootandint.pem
Choose PEM chain (*.crt)
On the machine that will access the VCSA website.
- In windows explorer, open root.my.lab.crt Click install certificate. Choose the trusted root folder. Click OK to the warning popup.
- In windows explorer, open intermediate.my.lab.crt Click install certificate. Choose the Intermediate folder.
- In windows explorer, open machine.crt and it should list the 3 certs in the path (how the web browser will see it).
VCSA 6.7.0.20100 build 11338176 (embedded PSC)
Makes sure you have a snapshot of the VCSA before the change. (I prefer to take the snapshot while the VCSA VM is power off)
- Enable SSH and shell via the VAMI :5480 https://fqdn:5480/ui/access
ssh and enable winscp access
chsh -s /bin/bash root - winscp in, upload the 3 files to /tmp
machine.crt
machine-key.pem
rootandint.pem - remove winscp access via
chsh -s /bin/appliancesh root
Disable ssh and shell via the VAMI.
SSH into the VCSA
/usr/lib/vmware-vmca/bin/certificate-manager
1
2
Please provide valid custom certificate for Machine SSL.
File : /tmp/machine.crt
Please provide valid custom key for Machine SSL.
File : /tmp/machine-key.pem
Please provide the signing certificate of the Machine SSL certificate-manager
File: /tmp/rootandint.pem