Adding SSL to vCenter Server

Trying to add SSL to vCenter Server using Certify.

I generated the CSR with vCenter and selected the .csr under Certificate -> Advanced -> Signing & Security in the CertifytheWeb Client.

When I go back to Certificate -> Domains, my email address shows up under domains. Then when I try to Test, Certify says “Could not verify URL is accessible: http://[email protected]/.well-known/acme-challenge/configcheck

Any idea how to get around this?

Are you absolutely sure you need to generate a CSR in vcenter? Can’t it just use the normal certificate Certify The Web would generate (with it’s own CSR?)?

Your CSR has an invalid subject name or SAN, if an email address is showing it’s because the CSR is wrong and needs to be generated again with only domains in the subject/SAN fields.

Well, no. But everything I keep finding says to do it. But I would think that I could just copy an already generated cert.

I just followed the CSR wizard. It required an email.

Certs are made up of two or more parts, your public certificate and your private key (which is a file you keep or one your server keeps), optionally also the “chain” of intermediate certificates.

Looing at this: Replace Default vCenter Certificate with a Free Let's Encrypt SSL - VirtuallyWired it suggests you could use the certificate component files.

The disadvantage of providing a certificate like this is you will have to renew it manually every 90 days - the expiry for a Let’s Encrypt certificate, other CAs offer different defaults but the most is 180 days from BuyPass and Google etc offer certs that are even 1 day expiry. Ideally you would have a way to script this certificate change/upload. I note in the comments of that article there are some command line options you can use for scripting.

To request a certificate you need to prove you control the domain, either using HTTP validation (where the Certificate Authority makes an http request to the domain you provide) or DNS validation (where the certificate authority checks public DNS for a special _acme-challenge record in your domains DNS). So to get any certificate you first need to check that you can complete the validation step, so I would suggest manually entering your domain and trying to get a valid certificate issued first, then think about how to apply that to vcenter. Note also that if the name is just an internal dns name you will not be able to use a public CA to issue that certificate. The private key you have is then used to generate the Certificate Signing Request (CSR) and normally we do all of that automatically rather than you providing it yourself. You would usually only provide your own CSR if you don’t control the private key.

Once you have a certificate, you can use the app to export that into the files you require using the Deploy to Generic Server task under Tasks> Deployment Tasks, PEM format files are just text so you can open them in a text editor for copy/pasting. Options are set under Task Parameters and I think you will need CA chain, key and cert. You then save the managed cert settings and click the :arrow_forward:button next to the task to try it out.

I’d recommend applying certs to a test system first, because if you apply an invalid certificate (or in an invalid way) etc it will affect your system access/availability.

You are amazing! I’m not sure how I missed that article but I did. I used his powershell script and it worked flawlessly.

I think my issue was I wasn’t sure how to properly format the certificates so that vCenter would take them without throwing errors.

Thank you so much for the help!


1 Like

Excellent, glad you got it working!