Internal certificate authority (CA) SSL Cert (root+intermediate chain) Minting Process

Document created by menkowski Expert on Oct 22, 2015Last modified by fran.schwarzmann on Aug 15, 2016
Version 2Show Document
  • View in full screen mode

Internal certificate authority (CA) - Ex.  Microsoft, Venafi


Issue - Out the box a self-signed cert is issued (  This also gives end users the scary click though message "

Your connection is not private   Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID"



  1. Login to your internal CA to mint a cert for the FQDN of the VTM instance.
  2. Download the cert as a PKCS 12 format.  Make sure the root chain and private key files are checked off.   Type in a password.
  3. Convert the PKCS 12 cert into a .pem format.   RDP into a windows 2008/2012 server.  Copy the  located on the windows vcenter iso and extact.
  4. Copy the .pfx file into the openssl folder.
    ex.  \Desktop\ssl-certificate-updater-tool-1308332\tools\openssl\
  5. Open a command prompt as admin (start / cmd / right click on the command prompt icon) and change into the openssl directory.
  6. Extract the private key and chain.   Type in openssl and hit enter.  Then type in the following with the correct name of your pfx file.
    pkcs12 -in ***.pfx -out privatekey.pem –nodes -nocerts
    pkcs12 -in ***.pfx –out chain.pem –nodes –nokeys
  7. Edit the privatekey.pem file.  Remove the 6 lines of text above  -----BEGIN RSA PRIVATE KEY-----
  8. Rename the privatekey.pem file to private.key
  9. Edit the chain.pem file.  Remove the same text above and below the following lines.
    -----END CERTIFICATE-----
    Your chain.pem should have 78 lines of text at the end.
  10. The structure of the chain.pem should be:
    Lines 1-25 = root cert
    Lines 26-51 = intermediate cert
    Lines 52-78 = hostname cert
  11. Create a new rootca.crt file from lines 1-25.    Open the rootca.crt file file to validate.
  12. Create a new intermediate.crt file from lines 26-51
  13. Create a new host.crt file from lines 52-78
  14. SSH into the VMTurbro server and backup the vhost-ssl file
    cp /etc/apache2/vhosts.d/vhost-ssl /etc/apache2/vhosts.d/vhost-ssl.bak
  15. Rename SSLCertificateFile /etc/apache2/ssl.crt/server.crt to host.crt
    Rename SSLCertificateKeyFile /etc/apache2/ssl.key/server.key to private.key
    SSLCaCertificateFile /etc/apache2/ssl.crt/rootca.crt
    SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt
  16. Save the vhost-ssl file in VI or upload via winscp.   /etc/apache2/vhosts.d/
  17. WinSCP the 3 files (host.crt, rootca.crt, intermediate.crt)  on your pc to /etc/apache2/ssl.crt/
  18. WinSCP private.key on your pc to /etc/apache2/ssl.key/
  19. restart the web server service
    service httpd restart
  20. Validate the URL and click on the lock icon.


Rollback plan

  1. Delete the the vhost-ssl file located in /etc/apache2/vhosts.d/
  2. Rename vhost-ssl.bak to vhost-ssl   
    The .bak file has different files name for the SSLCertificateFile and SSLCertificateKeyFile
  3. restart the web server service
    service httpd restart
1 person found this helpful