In this time we test quite extensively the vSphere 6.0, including trying to work out the right approach to one of the news that is the VMCA. To date we have used successfully own local (Microsoft) CA. Getting through VMware the next, its own subordinate CA, a little complicated us to manage certificates (as you probably all). As the Certificate Manager is not very convenient to use when generating certificates for vm’s or services that I personally recommend my own CA script. Just initiate in this script a new intermediate CA and then copy the certificate and key (root_signing_cert) from VMCA to my CA. Speed and ease of use are much better (especially when we need to generate and install certificates on the ESXi).
On this article, however, is another problem with which we met. It relates to vCSA and vCenter installed on Windows. After generating a new certificate for the vCenter signed by our CA (option 2 in Certificate Manager – Custom Signing Certificate) and restart the service, it turned out that there are big problems with ESX Agent Manager (EAM). It was enough to enter in the vSphere Web Client to Administration -> vCenter Server Extension -> vSphere ESX Agent Manager -> Solution to see the message “HTTP Status 500 – NoVCenterConnection”:
In the EAM (/storage/log/vmware/eam/eam.log) log entries appear indicating that the EAM can not log in to the vCenter.
It turned out that this is due to improper certificate replacement in EAM during the restart vCenter services. Fortunately, there is a corresponding KB, the solution is simple, but requires an additional restart vCenter:
After reboot, everything returns to normal.