vCenter's PSC LADP 696 SSL certificate binding/replacement

vCenter VCSA will have default self-sign certificate which communicate with 443 over https.

There are three method of certificate

1.      Self-Sign Certificate

2.      Custom certificate

3.      VMCA

We are discussing with vCenter replaced certificate either custom and VMCA. I am using custom method. Mostly organization will have their CA server locally or outsourced or public CA server service.

Embedded vCenter you need to replace certificate on one appliance, incase of external vCenter you need to replace on PSC and vCenter.

Before replacing and after replacing certificate you can check SSL certificate details with this command

“openssl s_client -connect localhost:443”

This is article we going to secure LDAP on VSCA. The LDAP(Secure) on PSC Identity Source Configuration Wizard.

vCenter LDAP is integrated on PSC. If its embedded vCenter you can perform this Steps on vCenter. If vCenter is external, you need to perform this step on PSC not on vCenter.

Before doing this LDAP Certificate replacement/binding. Ensure vCenter Custom SSL certificate is already replaced.  

Also, Check certificate key usage is proper. You can check the same if its showing exactly Digital Signature, Key Encipherment(a0)

Let’s start with steps in this case I am doing External PSC certificate LDAP 696 binding.

Please find the detailed steps below:

Ensure you have take VM snapshot of PSC and vcenter in Power Off State

1. Take backup of original certificate file.

cd /usr/lib/vmware-vmdir/share/config/

mkdir temp

cp vmdircert.pem temp/

cp vmdirkey.pem temp/

cd temp/

ls -ltrh

2. Fetch the MACHINE SSL Certificate & key & store them in the following location:

cd /var/core/

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/Machine_SSL.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/Machine_SSL.key

ls -ltrh

cp Machine_SSL.crt vmdir.cert

cp Machine_SSL.key vmdir.key

ls -ltrh

Note: Verify that the vmdir.crt extracted in step 1 has the ROOT certificate intact.

cat vmdir.cert

It should be in the format & the same order:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

3. Move cert and key to certificate config location.

mv vmdir.cert /usr/lib/vmware-vmdir/share/config/

mv vmdir.key /usr/lib/vmware-vmdir/share/config/

cd /usr/lib/vmware-vmdir/share/config/

ls -l

4. take Snapshot

Shutdown all vCenter in order Branch it will be VB3 Branch VC, VB2 Branch VC and VB1 Branch VC

then Shutdown all PSC in order VB3 Branch PSC, VB2 Branch PSC and VB1 Branch PSC

Take snapshot in all PSC and vCenter

Power on PSC1 once it's completely up, check services and Power On PSC 2 and PSC 3

Once all 3 PSC is up and power on VB1 vCenter

verify VB1 is up and Power on VB2 vCenter

verify VB2 is up and Power on VB2 vCenter

Once all 3 vBlock is up, lets proceed futher

5. Stop vmdir service.
cd /usr/lib/vmware-vmdir/share/config

ls -l

service-control --stop vmdird

6. remove the current vmdir certificate & rename new file.

rm vmdirkey.pem
rm vmdircert.pem

mv vmdir.cert vmdircert.pem

mv vmdir.key vmdirkey.pem




7. Start vmdir service.

service-control --start vmdird

8. Delete created temporary file

cd /var/core/

ls -l

rm Machine_SSL.crt

rm Machine_SSL.key

ls -l

8. Verify that the same set of certificates are in use for port 636 & 443.

-- openssl s_client -connect localhost:443
-- openssl s_client -connect localhost:636

Restart PSC all Services 

Next Restart vCenter all Services

If no issue LDAP certificate replacement all service will start in  timely manager. if any issue in all vCenter service restart, it will stuck on inventory service or VPXD. immediately rollback with taken snapshot.

Correct Applied vcenter and PSC certificate and try this steps again