What is vSphere vCenter Certificate and How to Replace It
vSphere uses Certificates to ensure secure communication between the vCenter components and the ESXi nodes. This article will briefly explain what is vSphere vCenter Certificate and show you the steps to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager as an example.
What is vCenter certificate
vSphere is the well-known virtualization product suite of VMware. To provide security to the enterprises, vSphere uses certificates to encrypt communications between two nodes, such as a vCenter Server and an ESXi host, authenticate vSphere services, and perform internal actions such as signing tokens.
vSphere’s internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for the type-1 hypervisor ESXi and vCenter Server. VMCA is installed on every vCenter Server host, immediately securing the solution without any other modification. Keeping the default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates when vCenter certificate expired.
vSphere also provides a mechanism to replace certain certificates with your own VMware vCenter certificate replacement. However, to keep your certificate management overhead low, it is suggested that replace only the SSL certificate that provides encryption between nodes. Next, this article will show you the steps to replace SSL certificates using vCenter Certificate Manager.
Recommended options for managing certificates
- VMCA Default Certificates: Simplest and lowest overhead. VMCA can manage the certificate life cycle for vCenter Server and ESXi hosts.
- VMCA Default Certificates with External SSL Certificates (Hybrid Mode): replace the vCenter Server SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts, or replace the ESXi host SSL certificates as well. This mode is simple and secure. VMCA manages internal certificates but you get the benefit of using your corporate-approved SSL certificates, and having those certificates trusted by your browsers.
How to use vSphere Certificate Manager to Replace SSL Certificates
If you want to replace default certificates with CA signed SSL certificates in vSphere 6.x and 7.x, VMware has pre-packaged the vSphere vCenter Certificate Manager utility to automate the replacement process. vSphere Certificate Manager can be used to implement default certificates, replace VMCA certificate with a custom CA certificate, and replace all vSphere certificates and keys with custom CA certificates and keys.
The next part will show you the steps to use vSphere vCenter Certificate Manager to replace SSL with a custom CA Certificate as an example.
Steps to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager
1. Execute the following commands to launch the vSphere Certificate Manager:
Windows vCenter Server:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
vCenter Server Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager
2. Then you are presented with 8 options.
- 1. Replace Machine SSL certificate with Custom Certificate
- 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates
- 3. Replace the Machine SSL certificate with a VMCA Certificate
- 4. Regenerate a new VMCA Root Certificate and replace all certificates
- 5. Replace Solution user certificates with Custom Certificates
- 6. Replace the Solution user certificates with VMCA Certificates
- 7. Revert last performed operation by re-publishing old certificates
- 8. Reset all Certificates
3. To replace SSL Certificate with a Custom Certificate Authority (CA) Signed Certificate, select Option 1. Replace Machine SSL certificate with Custom Certificate
4. Provide the [email protected] password when prompted.
5. Select Option 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate.
6. Enter the directory in which you want to save the certificate signing request and the private key.
7. Provide the vmca_issued_csr.csr to your Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer.
8. Return to the vSphere 6.x Certificate Manager and select Option 1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate.
9. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key and the CA certificate Root64.cer.
10. Answer Yes (Y) to the confirmation request to proceed.
Protect VMs on VMware ESXi hosts or vCenter Server via backup
vCenter Server is a very convenient official platform for centrally managing ESXi virtual environments and large numbers of VMs on it. However, it does not provide the feature of virtual machine backup. And that makes backup software a commonly accepted choice.
Here I introduce you to a VMware backup software AOMEI Cyber Backup, it enables you to backup multiple VMs in 3 simple steps. And it offers you the following benefits.
✦ Agentless Backup: create complete and independent image-level backup for VMware ESXi and Hyper-V VMs.
✦ Support Free ESXi: support both paid and free versions of VMware ESXi.
✦ Batch VM Backup: batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host.
✦ Multiple Storage Destinations: backup to local drive, or network destinations like Windows share or NAS.
✦ Automated Execution: create backup schedules to automate backups daily, weekly, monthly.
Next, I will show you how to backup multiple VMware ESXi VMs via AOMEI Cyber Backup. You can click the following button to download the 30-day free trial.
*You can choose to install this VM backup software on either Windows or Linux system.
3 steps to create a VMware ESXi VM backup task
1. Bind Devices: Access to AOMEI Cyber Backup web client, navigate to Source Device > VMware > + Add VMware Device to Add vCenter or Standalone ESXi host. And then click … > Bind Device.
2. Create Backup Task: Navigate to Backup Task > + Create New Task, and then set Task Name, Backup Type, Device, Target, Schedule, and Cleanup.
- Device: batch select large numbers of VMs managed by vCenter Server for centralized backup.
- Target: select to back up to a local path, or to a network path.
- Schedule (optional): perform full, differential, or incremental backup, and automate execution according to the frequency you specified.
- Cleanup (optional): automatically delete the old backup copies that exceed the retention period you specified.
3. Run Backup: Click Start Backup and select Add the schedule and start backup now, or Add the schedule only.
Created backup tasks will be listed and monitored separately, for restoring, progress checking and schedule changing.
When restoring, you can also restore to new location to create a new VM in the same or another datastore/host directly from the backup, saving the trouble of re-configuring the new VM.
Summary
VMware uses certification to ensure secure SSL communication between the vCenter components and the ESXi nodes. In this article, I introduced what is vSphere vCenter certificate, and showed the steps of how to replace SSL Certificate with a Custom CA Certificate using vSphere Certificate Manager.
However, you cannot use vCenter Server to backup VMware ESXi VMs and protect the VM data. Therefore, to ensure the security of VM data, you can try AOMEI Cyber Backup. Besides backup and restore, it also allows one administrator to create sub-accounts with limited privileges for error avoiding.