Virtualization
VMware vSphere
Configure TLS certificates for vCenter server
5min
the vcenter server and {{k3}} must establish a mutual trust relationship by validating their respective digitally signed certificates before kmip connections can occur the steps you performed in the preceding sections established vcenter's trust of the {{k}} the steps in this section establish the {{k}} trust of vcenter to do this, generate a certificate signing request (csr) in the vcenter server system with the vsphere client, sign the csr using the certificate authority (ca) created on the {{k}} and import the signed certificate back into the vcenter server system with the vsphere client after this, vcenter server and the {{k3}} can establish a tcp/ip session secured by tls, making it possible for kmip connections, and therefore encryption operations, to occur generate a csr perform the following steps to generate a csr with the vsphere client log in to the vcenter server system with the vsphere client browse the inventory list and select the vcenter server instance select \[ configure ] and select key providers under security select the {{k3}} key provider the kms for the key provider displays select the {{k}} kms, select the establish trust drop down menu, and select make kms trust vcenter select the new certificate signing request (csr) method and select \[ next ] in the dialog box, select \[ download ] to download the csr as a file you must copy the csr file needs to the storage medium configured for the {{k}} select \[ done ] sign the vcenter csr perform the following steps to sign the vcenter csr by using a ca on the {{k}} log in to the {{k3}} application interface with the default admin users go to pki > certificate authorities right click the system tls root ca certificate you configured in the configure tls certificates for the kmip port on the kmes series 3 section and select add certificate > from request in the file browser, find and select the vcenter csr on the subject dn tab, change the common name value to a shorter string, such as vcenter the common name of the certificate should match the name of the user created in the next section so that vcenter can authenticate to the {{k}} through tls certificate authentication on the v3 extensions tab, select the tls client certificate profile select \[ ok ] to finish the signed vcenter certificate now displays under the system tls root ca certificate export the certificate perform the following steps to export the signed vcenter certificate go to pki > certificate authorities right click on the vcenter certificate and select export > certificate(s) in the export certificate window, change the encoding to pem and select \[ browse ] in the file browser, go to the location where you want to save the certificate specify a name for the file and select \[ open ] select \[ ok ] a message displays stating that the pem file was successfully written to the location that you specified you need to copy the signed vcenter certificate file from the {{k}} storage medium to the computer that accesses vcenter server through the vsphere client import the signed vcenter certificate perform the following steps to import the signed vcenter certificate into vcenter server with the vsphere client log in to the vcenter server system with the vsphere client browse the inventory list and select the vcenter server instance select \[ configure ] and select key providers under security select the {{k3}} key provider the kms for the key provider displays select the {{k}} kms, select the establish trust drop down menu, and select upload signed csr certificate select \[ upload a file ] , and find and select the signed vcenter certificate in the file browser the content of the certificate should populate in the window select \[ upload ] the connection status column should now have a green checkmark and say connected the vcenter certificate and kms certificate columns should also show green checkmarks, with certificate validity dates sometime in the future