Replace the vCenter self-signed certificate with a 3rd-party certificate

07/06/2023

Welcome to TechLevelUp.net! My name is Trevor Harris, and I have been a server admin for over a year. Prior to that, I worked on the IT Help Desk for over a year.

My goal with this site is to document my evolving journey in the IT world, both for myself and for others who might find the information contained here useful on their journey too! As I am currently working on obtaining a free SSL cert for my vCenter server in my home lab, I figured that would make for a good first blog post! 😊


Replacing the self-signed Machine SSL Certificate in vCenter

As you can see below, my vCenter login page displays a “Not secure” message because the certificate the site is using is the default self-signed certificate. In order for my computer to trust it, I must either manually download the default self-signed certificate and add it to my computer’s trusted root store, or…. I can get a real cert from a trusted CA (certificate authority) like LetsEncrypt.

Vcenter – not secure! 🙁



I happen to own the domain agapitoharris.com, which I purchased from Hostinger for only $0.99 per month, but without the “premium” web hosting add-on, Hostinger does not allow SSH access to a webserver, so I cannot use the method recommended by LetsEncrypt to get a free cert. Instead, since Hostinger does allow me to manage DNS records for my domain, I can use the manual method.

To do this, I will install certbot on an Ubuntu computer by running the command:

sudo snap install certbot --classic

Important! Older versions of certbot (ie, versions installed by using sudo apt-get install certbot) will not be able to provide the correct certificate chain — instead, you will get an older DST Root CA X3 in your pem key file, which will not work with vCenter (vCenter will tell you the cert has expired)! Make sure you are installing certbot as per the official documentation so that you can use the –preferred-chain parameter and end up with the ISRG Root X1 signed cert.

Once installed, I will run the command below in order to obtain a free certificate for vcenter.local.agapitoharris.com:

sudo certbot certonly --manual --preferred-challenges dns -d vcenter.local.agapitoharris.com --email trevor@agapitoharris.com --agree-tos --key-type rsa --preferred-chain "ISRG Root X1"

We have to use the RSA key type because vCenter will not accept the default ECDSA algorithm that certbot uses.
Upon running this command, certbot will ask me to create a DNS TXT record for my domain.

Now, I will navigate to Hostinger’s site to create this record.

I will simply copy the value given to me by running the certbot command a moment ago (protip: to copy from the Linux terminal, use CTRL+Shift+C, not CTRL+C!) and then paste it in for the TXT record value.

Once I click Add Record, I can then go back to my Ubuntu server and press Enter to complete the verification process.

Certbot will tell me that my cert has been successfully created.

Now that my certificate files have been created, I need to grab them and apply them to vCenter. to make them easier to work with, I’m going to copy the cert + private key files to my smb share so i can access them from my Windows machine. For example,

sudo cp /etc/letsencrypt/live/vcenter.local.agapitoharris.com/fullchain.pem /home/trevor/smbshare/fullchain.pem

Upon opening the fullchain.pem file, we can see 2 certificates that have been chained together.
From Top to Bottom:
Cert 1 = our shiny new vCenter Machine cert
Cert 2 = LetsEncrypt intermediary R3 CA

Note that the ISRG Root X1 Certificate is not included in the fullchain.pem file (so much for it being a “full” chain, right? 😂). We will need that root CA cert later, so let’s go grab that from here (the .pem format of the self-signed ISRG Root X1 cert)

Next, we need to put those key files on our vCenter server. You could probably use WinSCP or FileZilla to move the keys over, but instead I just copied and pasted the text of the key files using old school vi. Here’s the process I followed:
1. SSH into vCenter server using putty, using your root credentials.
2. create a new directory and then make it your current working directory /home/trevor – sudo mkdir /home/trevor && cd /home/trevor
3. sudo vi priv.pem
a. Paste the contents of privkey.pem into this file.
4. sudo vi machine.pem
a. Copy the contents of fullchain.pem and paste into this file. Add the ISRG Root X1 self-signed certificate to the end of the chain. Make sure there are no errant spaces. In total you should have 3 certificates in this chain (the two in fullchain.pem that you got from certbot + the cert you downloaded from LetsEncrypt’s website)
5. sudo vi chain.pem
a. This file will contain ONLY the R3 intermediary + the ISRG Root X1 cert (in that order).
6. ~/usr/lib/vmware-vmca/bin/certificate-manager

Choose option 1 and follow the prompts:

and voila!

Once this process is complete, your vCenter services will restart, and then when you visit your vCenter site, no more Not Secure message, and we have a beautiful padlock ^_^ instead

If we examine the cert we will see that it is going to expire in less than 90 days. Now, I’m sure there’s a way to automate this entire process even using the certbot manual mode, but that’s a project for another day. Maybe I will have that problem solved before October 🙂

edit: it looks like the snap version of certbot creates a scheduled task which will autorun the ‘certbot renew’ command, so might not have to worry about it after all! guess we’ll find out…

*9/30/2023 update: Unfortunately, certbot renew cannot work with the manual method unless your hosting provider allows you to modify DNS records via API or some other remote method which could be implemented with the –manual-auth-hook method. Hostinger DNS records can unfortunately only be modified via their GUI.

Leave a comment if you found this helpful!