Configure TLS certificates for vCenter server
The vCenter Server and must establish a mutual trust relationship by validating their respective digitally signed certificates before KMIP connections can occur.
The steps you performed in the preceding sections established vCenter's trust of the . The steps in this section establish the trust of vCenter.
To do this, generate a Certificate Signing Request (CSR) in the vCenter Server system with the vSphere Client, sign the CSR using the Certificate Authority (CA) created on the KMES, tand import the signed certificate back into the vCenter Server system with the vSphere Client.
After this, vCenter Server and the can establish a TCP/IP session secured by TLS, making it possible for KMIP connections, and therefore encryption operations, to occur.
Log in to the vCenter Server system with the vSphere Client.
Browse the inventory list and select the vCenter Server instance.
Select [ Configure ] and select Key Providers under Security.
Select the New Certificate Signing Request (CSR) method and select [ Next ].
Select [ Done ].
Go to PKI > Certificate Authorities.
Right-click the System TLS Root CA certificate you configured in the Configure TLS certificates for the KMIP port on the KMES Series 3 section and select Add Certificate > From Request.
In the file browser, find and select the vCenter CSR.
On the V3 Extensions tab, select the TLS Client Certificate profile.
Select [ OK ] to finish.
The signed vCenter certificate now displays under the System TLS Root CA certificate.
Go to PKI > Certificate Authorities.
Right-click on the vCenter certificate and select Export > Certificate(s).
In the Export Certificate window, change the encoding to PEM and select [ Browse ].
In the file browser, go to the location where you want to save the certificate. Specify a name for the file and select [ Open ].
Log in to the vCenter Server system with the vSphere Client.
Browse the inventory list and select the vCenter Server instance.
Select [ Configure ] and select Key Providers under Security.
Select [ Upload A File ], then find and select the signed vCenter certificate in the file browser.
The content of the certificate should populate in the window.
Select [ Upload ].
The Connection Status column should now have a green checkmark and say Connected. The vCenter Certificate and KMS Certificate columns should also show green checkmarks, with certificate validity dates sometime in the future.