Introduction
Importing a vCenter root certificate into SDDC Manager is a critical step when working with VMware Cloud Foundation (VCF 5.2) or later for converting/importing existing vSphere environments to VCF. Proper certificate management ensures secure communication between vCenter and SDDC Manager components while using the VCF Import tool. This guide walks you through the manual process of importing and refreshing trusted root certificates in VMware environments.
Prerequisites
- SSH access to your vCenter Server and SDDC Manager.
- Admin privileges on the VMware environment.
- Understanding of certificate management and SSL security.
When Is This Process Required?
This process is necessary when:
- Importing vCenter root certificates into SDDC Manager.
- Integrating vSphere environments into VMware Cloud Foundation 5.2 or later.
- Ensuring secure communication between vCenter and SDDC Manager components.
Properly importing root certificates ensures seamless and secure integration of VMware environments.
Step-by-Step Guide
1. Access the vCenter Server via SSH
Log into your vCenter server using SSH as a root or administrative user.
2. Obtain the Root Certificate
For Default VMware Certificates:
Run the following command to extract the root certificate:
/usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/root.cer
For Custom Certificates:
List all entries in the trusted root store:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots
Locate your desired certificate and copy it to a temporary directory on SDDC Manager:
vi /tmp/root.cer
3. Retrieve the Trusted Certificates Key
Obtain the key required for importing the certificate:
pass=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)
4. Import the Certificate into the Trusted Certificate Store
Use the keytool utility to import the certificate into the SDDC Manager’s trusted store:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>
Example:
keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass
5. Import the Certificate into the cacerts Store
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
Example:
keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
6. Verify the Certificate
Confirm the certificate has been successfully imported:
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass | less
7. Refresh the Trusted Certificates via SDDC Manager API
After importing the certificate, refresh the trusted certificates using the following API call:
curl -X POST localhost/appliancemanager/trustedCertificates/refresh
Linking to Resources
For more details on VMware certificate management, visit the VMware official documentation. To learn more about VCF 5.2, explore VMware Cloud Foundation Documentation. VCF Import
Conclusion
By following this guide, you can successfully import a vCenter root certificate into SDDC Manager for VMware VCF 5.2 or later. This process is critical to maintaining secure and reliable communication between VMware components, ensuring seamless integration and operational efficiency.
Pro Tip: Regularly verify and update certificates to maintain compliance and prevent connectivity issues.
Need further assistance? Comment below or reach out to the VMware community forums!
Share this guide with your team to simplify VMware certificate management for VCF 5.2 and beyond!
Hope you find this useful. Thanks for reading, Keep sharing.