vSphere uses Certificates to ensure secure communication between the vCenter components and the ESXi nodes. This article will briefly explain what is vSphere vCenter Certificate and show you the steps to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager as an example.
vSphere is the well-known virtualization product suite of VMware. To provide security to the enterprises, vSphere uses certificates to encrypt communications between two nodes, such as a vCenter Server and an ESXi host, authenticate vSphere services, and perform internal actions such as signing tokens.
vSphere’s internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for the type-1 hypervisor ESXi and vCenter Server. VMCA is installed on every vCenter Server host, immediately securing the solution without any other modification. Keeping the default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates when vCenter certificate expired.
vSphere also provides a mechanism to replace certain certificates with your own VMware vCenter certificate replacement. However, to keep your certificate management overhead low, it is suggested that replace only the SSL certificate that provides encryption between nodes. Next, this article will show you the steps to replace SSL certificates using vCenter Certificate Manager.
If you want to replace default certificates with CA signed SSL certificates in vSphere 6.x and 7.x, VMware has pre-packaged the vSphere vCenter Certificate Manager utility to automate the replacement process. vSphere Certificate Manager can be used to implement default certificates, replace VMCA certificate with a custom CA certificate, and replace all vSphere certificates and keys with custom CA certificates and keys.
The next part will show you the steps to use vSphere vCenter Certificate Manager to replace SSL with a custom CA Certificate as an example.
Steps to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager
1. Execute the following commands to launch the vSphere Certificate Manager:
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
vCenter Server Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager
2. Then you are presented with 8 options.
3. To replace SSL Certificate with a Custom Certificate Authority (CA) Signed Certificate, select Option 1. Replace Machine SSL certificate with Custom Certificate
4. Provide the administrator@vsphere.local password when prompted.
5. Select Option 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.
6. Enter the directory in which you want to save the certificate signing request and the private key.
7. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer.
8. Return to the vSphere 6.x Certificate Manager and select Option 1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate.
9. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key and the CA certificate Root64.cer.
10. Answer Yes (Y) to the confirmation request to proceed.
vCenter Server is a very convenient official platform for centrally managing ESXi virtual environments and large numbers of VMs on it. However, it does not provide the feature of virtual machine backup. And that makes backup software a commonly accepted choice.
Here I introduce you to a VMware backup software AOMEI Cyber Backup, it enables you to backup multiple VMs in 3 simple steps. And it offers you the following benefits.
✦ Agentless Backup: create complete and independent image-level backup for VMware ESXi and Hyper-V VMs. ✦ Support Free ESXi: support both paid and free versions of VMware ESXi. ✦ Batch VM Backup: batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host. ✦ Multiple Storage Destinations: backup to local drive, or network destinations like Windows share or NAS. ✦ Automated Execution: create backup schedules to automate backups daily, weekly, monthly.
Next, I will show you how to backup multiple VMware ESXi VMs via AOMEI Cyber Backup. You can click the following button to download the 30-day free trial.
*You can choose to install this VM backup software on either Windows or Linux system.
1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device > VMware > + Add VMware Device to Add vCenter or Standalone ESXi host. And then click … > Bind Device.
2. Create Backup Task: Navigate to Backup Task > + Create New Task, and then set Task Name, Backup Type, Device, Target, Schedule, and Cleanup.
3. Run Backup: Click Start Backup and select Add the schedule and start backup now, or Add the schedule only.
Created backup tasks will be listed and monitored separately, for restoring, progress checking and schedule changing.
When restoring, you can also restore to new location to create a new VM in the same or another datastore/host directly from the backup, saving the trouble of re-configuring the new VM.
VMware uses certification to ensure secure SSL communication between the vCenter components and the ESXi nodes. In this article, I introduced what is vSphere vCenter certificate, and showed the steps of how to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager.
However, you cannot use vCenter Server to backup VMware ESXi VMs and protect the VM data. Therefore, to ensure the security of VM data, you can try AOMEI Cyber Backup. Besides backup and restore, it also allows one administrator to create sub-accounts with limited privileges for error avoiding.