Part of our vCenter build out design was to put the vCenters as a Sub CA of the corporate PKI infrastructure. After doing so…We found an interesting bug or missing step in the procedure.
Instead of reinventing a perfectly good blog post with great detail. Here is what I followed for building out the vCenters as a Sub CA.
It goes into great detail and has great pictures to follow for all you Lego people.
After you complete all the steps for setting up your vCenter as a Sub CA it will work great…………………….except one part! Your VAMI will still have the old cert.
Extremely frustrating. There is a workaround for this issue. But there is a bug in the workaround of this issue. It’s missing some details for people like you and me because we are running as a Sub CA.
VMware KB: https://kb.vmware.com/s/article/2136693
- Log in to the vCenter Server Appliance through SSH.
- Type shell and press Enter.
- Copy CA cert chain to:vcsa-a:/ssl/machineSSL # cp cachain.cer /etc/applmgmt/appliance/ca.crt
The issue is that your certs are not located in the location above. So instead of using /ssl/machineSSL use this location /etc/vmware/vmware-vmafd
and use this command instead.
- Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
- Add the entry:ssl.ca-file=”/etc/applmgmt/appliance/ca.crt”
- Restart the VAMI service:/etc/init.d/vami-lighttp restart