Updating Dell VxRail with Custom Certificates (Customer Correctable)

vSphere uses certificates to:

• Encrypt communications between two nodes, such as vCenter Server and an ESXi host.
• Authenticate vSphere services.
• Perform internal actions such as signing tokens.

vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi. VMCA is installed on every Platform Services Controller, immediately securing the solution without any other modification. Keeping this default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates in the event they expire.

vSphere also provides a mechanism to replace certain certificates with your own certificates. However, it is advised to replace only the SSL certificate that provides encryption between nodes, to keep your certificate management overhead low.

Custom Certificate Integration

The vSphere environment is flexible to give the customers the opportunity to work with custom SSL certificates, as their company policies sometimes mandate that. The following steps walk you through changing certificates for various components in a VxRail environment.

1. Replacing VxRail Manager's self-signed certificate
   • This procedure is accessible on the SolVe online portal. Go to 'How To' Procedures > 'How To' Change other VxRail Cluster settings > Choose your current VxRail Manager version > Replace the VxRail Manager SSL Certificate, then generate the procedure. If you do not have access to that portal, contact Dell support. For guidance on creating the Certificate Signing Request and modifying the received cert files, see KB article VxRail: How to apply for a new certificate for VxRail Manager.
2. Replacing vCenter Server certificates using a Custom Certificate Authority (CA) Signed Certificate
   • Follow the guide available at VMware: Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
   • For a better overview on the process of certificate replacement using Certificate Manager, see VMware KB Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277).
   • To illustrate how to generate a custom signed certificate using PSC, see KB article Dell VxRail: How to Generate CSR (cert signing request) and private keys on PSC.
3. Manually reestablishing trust between VxRail Manager and vCenter Server after custom certificate integration
   • Upon replacement of vCenter Server certificates, the new ones should be manually updated on VxRail Manager VM to allow reestablishment of trust between both entities. To achieve that, follow KB article VxRail: How to manually import vCenter SSL certificate on VxRail Manager.
4. Replacing ESXi host SSL certificates
   • Requirements for ESXi Certificate Signing Requests are available at VMware at https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-0AE0B563-59D6-45A5-BF46-6FE68607687B.html.
   • To switch to using custom certificates on the ESXi hosts in a vSAN environment, follow VMware KB Adding Custom Certificate on ESXi hosts through CLI (56441). It is always preferred to take a backup of the old ESXi certificates outside of the host (using clients like WinSCP for example) to be able to revert in case any issues occurred within the replacement process.
5. Replacing vRealize Log Insight certificates
   • Follow the guide available at https://docs.vmware.com/en/vRealize-Log-Insight/4.5/com.vmware.log-insight.administration.doc/GUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html.

If you face any issues during certificate replacement, reach out to Dell support for assistance.

• Dell EMC VxRail: Requirements for VxRail Manger SSL certificate in mTLS enabled cluster
• Dell EMC VxRail: Cannot log in to vCenter with error 500 SSO. PSC&VC certificates expired and failed to renew.