vCenter 6.5 as a Sub CA and Configuring the VAMI cert.

Part of our vCenter build out design was to put the vCenters as a Sub CA of the corporate PKI infrastructure. After doing so…We found an interesting bug or missing step in the procedure.

Instead of reinventing a perfectly good blog post with great detail. Here is what I followed for building out the vCenters as a Sub CA.

It goes into great detail and has great pictures to follow for all you Lego people.

After you complete all the steps for setting up your vCenter as a Sub CA it will work great…………………….except one part! Your VAMI will still have the old cert.

Extremely frustrating. There is a workaround for this issue. But there is a bug in the workaround of this issue. It’s missing some details for people like you and me because we are running as a Sub CA.

VMware KB:

vCenter Server Appliance 6.5 & 6.7:
  1. Log in to the vCenter Server Appliance through SSH.
  2. Type shell and press Enter.
  3. Copy CA cert chain to:vcsa-a:/ssl/machineSSL  # cp cachain.cer /etc/applmgmt/appliance/ca.crt

The issue is that your certs are not located in the location above. So instead of using /ssl/machineSSL  use this location /etc/vmware/vmware-vmafd

and use this command instead.

         vcsa-a:/etc/vmware/vmware-vmafd  # cp ca.crt /etc/applmgmt/appliance/ca.crt
  1. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
  2. Add the”/etc/applmgmt/appliance/ca.crt”
  1. Restart the VAMI service:/etc/init.d/vami-lighttp restart
Now the next time you log into your VAMI all will be right in the world again. And you won’t have security hounding you anymore.

About childebrandt42

I am a jack of all trades and a master of a few things. Manage a enterprise VDI deployment for a living. Automate things, work on my media server and fish for hobbies. Monkey tamer at home!
This entry was posted in Certificates, Virtulization and tagged , , , , , , . Bookmark the permalink.