vmdir is a vCenter component that Listens on port 389 and 636(LDAPs/LDAP)
We will start creating a new configuration file called vmdir.cfg with the below content: (replace the contents under v3_req with the fields appropriate to your environment)
[ req ] distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:psc1.domain.com, DNS:psc1, IP: x.x.x.x [ req_distinguished_name ] countryName = US stateOrProvinceName = State localityName = City 0.organizationName = Company organizationalUnitName = Department commonName = psc1.domain.com
using openssl, create a new CSR file with the above configuration:
"%VMWARE_OPENSSL_BIN%" req -new -out c:\cert\vmdir.csr -newkey rsa:2048 -keyout c:\cert\vmdir.key -config c:\cert\vmdir.cfg
If the solution user certificates are signed with a CA cert, sign the CSR with the same issuing CA
else, Sign them using VMCA using the instructions below.
Signing the CSR with the VMCA certificate.
- Copy root.cer
(appliance: /var/lib/vmware/vmca/) to c:\cert\
Run the brow command to sign the certificate:
"%VMWARE_OPENSSL_BIN%" x509 -req -days 3650 -in c:\cert\vmdir.csr -out c:\cert\vmdir_signed.crt -CA c:\cert\root.cer -CAkey c:\cert\privatekey.pem -extensions v3_req -CAcreateserial -extfile c:\cert\vmdir.cfg
Now we have a certificate that can be used to replace the existing vmdir certificates. To proceed with the certificate replacement, Stop all vCenter services
service-control --stop --all
Note: For windows, you must be on path: “C:\Program Files\VMware\vCenter Server\bin”
- Go into path: C:\ProgramData\VMware\vCenterServer\cfg\vmdird (appliance: ‘/usr/lib/vmware-vmdir/share/config/’)
- (backup original certificates) vmdircert.pem and vmdirkey.pem to a temp directory
- rename vmdir_signed.crt to vmdircert.pem and vmdir.key to vmdirkey.pem on the above directory
Start all services
Note: If the services fail to start (most likely inventory) then you it means that the wrong root cert was used when sigining the certificate. Replace the original files on the directory and restart the service to roll back to previous configuration.