QuickTip: Renew SDDC Manager VMCA Certificate

Certificates, Cloud Foundation, SDDC, TipsNTricks, VCF, VMware, VMware Cloud Foundation 2 Minutes

I got a question from someone internally if renewing the VMCA signed certificate on SDDC Manager in a VCF instance is possible. For context, out-of-the-box SDDC Manager is signed by the VMCA on the management domain vCenter Server, but there is no supported way to renew that certificate. So before the VMCA certificate expires, you must replace it with a signed CA cert from your internal CA, or from an external 3rd party CA.

That said, it is possible to leverage VMCA to renew the cert on SDDC Manager. Here are some notes I had from doing this previously in the lab.

Disclaimer: This is not officially supported by VMware/Broadcom, use at your own risk.

First generate a CSR for SDDC Manager in the normal way using the SDDC Manager UI

Download the CSR as sfo-vcf01.sfo.rainpole.io.csr

SSH to the Management vCenter Server and do the following

    mkdir /tmp/certs
upload CSR to /tmp/certs
cd /tmp/certs
vi /tmp/certs/cert.cfg

# cert.cfg contents replacing FQDN appropriately
[ req ]
req_extensions = v3_req

[ v3_req ]
extendedKeyUsage = serverAuth, clientAuth
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = caIssuers;URI:https://sfo-m01-vc01.sfo.rainpole.io/afd/vecs/ca

Save /tmp/certs/cert.cfg

    On the management vCenter Server, generate the cert

    openssl x509 -req -days 365 -in sfo-vcf01.sfo.rainpole.io.csr -out sfo-vcf01.sfo.rainpole.io.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile cert.cfg

    Create a certificate chain

    cat sfo-vcf01.sfo.rainpole.io.crt>>sfo-vcf01.sfo.rainpole.io.chain.pem
cat /var/lib/vmware/vmca/root.cer>>sfo-vcf01.sfo.rainpole.io.chain.pem

    SSH to SDDC Manager to install the cert

    su
cp /etc/ssl/private/vcf_https.key /etc/ssl/private/old_vcf_https.key
mv /var/opt/vmware/vcf/commonsvcs/workdir/vcf_https.key /etc/ssl/private/vcf_https.key
cp /etc/ssl/certs/vcf_https.crt /etc/ssl/certs/old_vcf_https.crt
rm /etc/ssl/certs/vcf_https.crt

SCP sfo-vcf01.sfo.rainpole.io.chain.pem to /etc/ssl/certs/

mv /etc/ssl/certs/sfo-vcf01.sfo.rainpole.io.chain.pem /etc/ssl/certs/vcf_https.crt
chmod 644 /etc/ssl/certs/vcf_https.crt
chmod 640 /etc/ssl/private/vcf_https.key
nginx -t && systemctl reload nginx

    You should now have renewed your VMCA signed certificate on SDDC Manager.

    Published

    Leave a comment