Install Ssl Certificate Vmware V Center Site Recovery Manager
Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or vSheild Manager are always installed on a different machine than the associated vCenter Server system or Platform Services Controller that manages the certificates for the solution. Installing vCenter Site Recovery Manager using a custom SSL certificate fails with the error: Failed to validate certificate. Details: the certificate file contains unsupported PKCS#12 content (2011356).
As I work closely with VMware Support, it’s clear that issues and confusion around vSphere 6.x certificates are still very much a pain-point for customers. I’ve spoken a bit about this topic in the past (but have been meaning to get back to it).
You can see my previous posts below: (Note: even though they say 6.0 they are applicable for 6.5 too) • • • What I want to achieve by this post is to hopefully dispel some of the confusion. First, repeat the title of this post to yourself – “ Just because you can, doesn’t mean you should.” Just because you can replace any and all certificates in a vSphere environment, doesn’t mean necessarily should. The only question you need to be able to answer is – “ What problem am I trying to solve?” tl;dr Long story short, for the majority of use cases, replacing the Machine SSL certificate on each vCenter / PSC should be sufficient. Keep reading for more information.
I’m going to focus on three potential answers to that question. I want to get rid of the annoying browser warning when I access the Web Client 2.
Management Interfaces (i.e. Web Client) must run with trusted CA signed certificates.
Company Policy mandates that all certificates must be replaced with trusted CA signed certificates. In my experience, the vast majority of vSphere customers fall into category 1 or 2. Before we delve into all that, lets run through all the certificates present on a vCenter 6.x system and what they are used for. Diagrams Embedded PSC In this first diagram we illustrate the certificates for a vCenter Server with Embedded PSC External PSC In this diagram we illustrate the certificates when using an external PSC. You can extrapolate for larger environments as more PSCs and vCenter’s are added. Machine SSL Certificate This the main certificate and the only one you should care about if you answered 1 or 2 to the question above. It is presented from the server on port 443 via the reverse proxy service and it is what you hit when you access the vSphere Web Client, the HTML5 Web Client (6.5), the PSC UI, the VAMI, use the C# Client (6.0), or use PowerCLI to connect to vCenter.
Vcenter 6.5 Ssl Certificate
It is the only user-exposed certificate. If all you care about is not seeing any “untrusted certificate” warnings from any of your interfaces, then this and only this is the certificate you need to change on your Embedded vCenter, External PSC or vCenter machines. Solution User Certificates There are four solution user types and you can check the link above for more detail on Solution User certificates. VCenter and PSC services need to be able to communicate with the VMware Directory Service within an SSO Domain. You have your admin user administrator@vsphere.local and that has a user-defined password. There are also the solution users, for example, vpxd-machine-uuid@vsphere.local but they don’t have a traditional password. Preschool carnival games activities. So for these users to log into VMdir, they use certificate based authentication.
These certificates are not user-exposed. You should never hit them in your Browser. VMCA The VMCA certificate is just that, a CA (certificate authority). It is capable of generating and signing new certificates.
Install Ssl Certificate Vmware Vcenter
It is what issues all the certificates we talk about on a new installation of vSphere 6.x Trusted Roots Stores all Issuer Certificates (Root CAs and Intermediate CAs) that have issued Machine SSL Certificates and Solution User Certificates. If running custom certificates, then whatever CA issued those certificates needs to be present here. Lookupservice Certificate In 6.5 this certificate is automatically always the same as the Machine SSL so for 6.5 it’s non-issue and you don’t need to worry.