Generate Certificates with Enterprise CA in VCF Ops 9.1

This article is on How to Generate Certificates using your Enterprise CA and updating the certificate on VCF Operations version 9.1

First, we login into the VCF Ops Web UI, go to the Manage option, click on Certificates on the left side of the page, Click on VCF Managent option, select the VCF Operations on the right side of the page, click on the 3 dots and click on “Generate CSRs” option.

This will pop up another window in which you can provide all the details of the Certificate you require like the following:

Organization Name, Organization Unit, Country, State, Locality, Email Address, Certificate Key Size (which is 2048 by default) etc.

The Mandatory ones to fill in are:

Appliance FQDN/IP address, Common Name, DNS/FQDN SAN Names and the ones with a red asterisk next to the field.

Once you fill in all the fields, click on Generate to generate the CSR

This will generate the CSR internally in VCF Ops

Once the CSR is generated, you click on the selected product (in this case VCF Operations), click the 3 dots again and click on the option to “Replace with Configured CA Certificate” as shown in the below screenshot

Follow the next steps to use the Microsoft CA which you have setup in the previous post – configure-enterprise-ca-in-vcf-operations-9.1

Click on Proceed option to replace the certificates on the VCF Operations, you can check the status of this on the Management Tasks page.

Once the task is completed, you will need to refresh the page to get the new certificate and you can go to the VCF Management, Certificates to check the Certificate Type to see that Microsoft CA is now mentioned instead of VMCA as shown in the below screenshot.

This Concludes this article on how to generate certificate from your enterprise CA and how to replace the certificate automatically on the VCF Operations.

NOTE: The names and FQDN’s have been Pixelated/Blurred for Privacy reasons, However the content is still true in the environment.

Disable vSphere Managed Object Browser (MOB)

To harden your ESXi 6.0 hosts, we disable the MOB service so that any attacker can’t get to the web browser and access the MOB of the ESXi host (ex: https://esxi01.lab.com/mob), this setting will disable one of the attack vectors of theESXi hosts in the environment.

to do this, you SSH into the ESXi host where you want to disable the mob service and perform the following commands

esxi01# vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"

to verify if the mob service has been removed from the ESXi host, use the following command

esxi01# vim-cmd proxysvc/service_list

the above command will list all the services on the ESXi host, look for the service “/mob”, if you don’t see this service, then it has been removed. if it is still there, then you will have to perform the first command and reboot the ESXi host to disable the mob service from the host.