39 Responses

  1. The Trouble with CA SSL Certificates and vCenter 5 « Long White Virtual Clouds

    […] article is a follow up to the one I posted previously regarding The Trouble with CA SSL Certificates and ESXi 5. This article will focus on successfully changing the default VMware SSL certificates on vCenter 5 […]

  2. Nick Evans
    Nick Evans at |

    Great post Michael. During my VCAP4-DCA study I went through changing SSL certs and it's a lengthy process and like you said the documentation is all over the place!

    Will have to give it blast in my lab.

    Reply
  3. Alain Dolbec
    Alain Dolbec at |

    Hi Michael,

    Thanks for sharing. I had myself to go through this but I was able to go through my own CA using openssl. I need now to go through an approved CA and I have been trying to get the specific x509 certificate attributes (keyUsage) that need to be included in the CSR but cannot find anything official about this. I set the attributes as they were in the self-signed ones but the CA will not keep all of those attributes.

    Did you see this specified somewhere? Does it matter?

    Thanks

    Alain

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Hi Alain, I got the keyUsage requirements from the Update Manager KB and also the default certs. The other attributes were a combination of reviewing multiple documents and sources of information in addition to some trial and error. The keyUsage needs to be serverAuth and clientAuth.

      Reply
  4. Updating CA SSL Certificates in vSphere 5 « Long White Virtual Clouds

    […] The Trouble with CA SSL Certificates and ESXi 5 […]

  5. Why change VMware default self-signed SSL certs? « Long White Virtual Clouds

    […] SSL certs in a few of the VMware components, such as vCenter Server 5, vSphere Web Client, and ESXi 5 Hosts. All without any discussion about why you would want to do it at all. So why do you bother going to […]

  6. Best Order for Changing SSL Certs in vSphere Environments « Long White Virtual Clouds

    […] If you can update the SSL Certs on the ESXi Hosts before adding them into vCenter it will save you some time as you won’t have to fix the SSL thumbprints in the vCenter Database (refer to The Trouble with CA SSL Certificates and ESXi 5). […]

  7. Script: Fix SSL Issue VMware 5 | Robert's Blog

    […] get updated in the Database and many articles tell you how to fix it like the following article http://longwhiteclouds.com/2012/02/04/the-trouble-with-ca-ssl-certificates-and-esxi-5/ or […]

  8. vcpguy
    vcpguy at |

    Hi, do we need to take all these steps, if there is already a in house PKI

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Yes the steps are required when you are using an in house PKI.

      Reply
  9. Geoff
    Geoff at |

    For anyone doing a 5.0.1 (U1) update, once the cert is replaced and you've come out of maintenance mode the HA agent will install but the status will be "election" until you disconnect and reconnect the host. As soon as it reconnects the status will change to connected (master or slave) and you're done. No need to run the HostReconnect script.

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Hi Geoff,

      That procedure is if you don't want to run the host reconnect script. Essentially the host reconnect script does the same thing. However if you're on vCenter 5.0 U1 there is no need to even do that as the bug that caused this problem is fixed.

      Reply
  10. Geoff
    Geoff at |

    OK, got it, thanks Michael. I never looked at the script – thought it was doing more than just a disconnect/reconnect. But it's interesting that my hosts stayed in "election" status until I disconnected and reconnected. Sounds like I shouldn't have needed to do this with U1?

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Correct, the hosts should have been ok after exiting maintenance mode, as the expected SSL thumbprint should have been updated in the vCenter database.

      Reply
  11. Ryan
    Ryan at |

    Great post! We are using an internal CA. My question is, do we need to update the vCenter SSL cert first and then all of the hosts or does it matter?

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Hi Ryan, the information you're looking for is contained in my article on the order to update the certificates. You can find all of my articles in the Updating CA SSL Certs in vSphere 5 article on the right hand side bar or at this location – http://longwhiteclouds.com/2012/02/24/updating-ca

      Reply
  12. Harry
    Harry at |

    Can you advise if I am required to replace the SSL certificates on hosts after an upgrade (via Update Manager)from ESX 4.0 to ESX 5.0 Update 1?

    Thanks very much

    Reply
  13. Harry
    Harry at |

    Thanks for coming back so quickly. I'm not fully understanding the 2048 bit comments and it may be down to the way I phrased the question (or my lack of SSL knowledge). The existing SSL certs on my ESX 4.0 hosts are 2048 bits so per your comment I shouldn't have to change them doing an upgrade to ESXi 5.0.

    It's the comment "Provided you’ve not installed the Microsoft Patch that requires 2048 bit SSL certs, then you also wouldn’t have to upgrade." that I'm confused with. I assume that is in reference to vCenter (i.e. Microsoft comment)? In my case I'm creating a new vCenter VM rather than an upgrade so I assumed I would require a new certificate for vCenter anyway.

    To summarise does that mean I could upgrade ESX 4.0 U1 hosts to ESXi 5.0 with no new certs required and only request new SSL cert for vCenter?

    One last question if you dont mind – if I decide on a clean install of ESXi 5.0 rather than an upgrade from ESX 4.0 U1 could I save my SSL certs beforehand and re-apply as hosts are keeping same FQDN (whereas new VC is not)? Thanks again.

    Reply
  14. Harry
    Harry at |

    Ah, got you. That's what I was hoping to hear and thanks for the heads up about Update 2 – interesting.

    Much appreciated

    Reply
  15. vCenter 5.1 Upgrade Planned? Verify SSL Certificate Checking | Wahl Network

    […] if you want more certificate goodness, check out fellow VCDX Michael Webster’s post on “The Trouble with CA SSL Certificates and ESXi 5” over at his blog. It came up when I was first searching on this error via Google and […]

  16. vCenter 5.1 Upgrade Planned? Verify SSL Certificate Checking « 1cloudroad.com 1cloudroad.com - An online community discussing the advantages of leveraging Cloud Computing

    […] if you want more certificate goodness, check out fellow VCDX Michael Webster’s post on “The Trouble with CA SSL Certificates and ESXi 5” over at his blog. It came up when I was first searching on this error via Google and […]

  17. Jeremy Hagan
    Jeremy Hagan at |

    Is this procedure identical for ESXi 4.x?

    Reply
  18. Harry
    Harry at |

    Hi Michael,

    You state in your article that hopefully steps 18-23 wont be required once Update 1 has been applied. We have applied Update 2 and I'm about to test the SSL certs process described above for the first time. Can you confirm that the requirement for steps 18-23 has now been removed?

    Thanks again

    Reply
  19. Harry
    Harry at |

    A 2 minute response turnaround. Now that's impressive :-). Thanks Michael. Yes, I will let you know how I get on.

    Reply
  20. Harry
    Harry at |

    Michael, can I safely assume that step 16 only came into play while steps 18 to 23 were relevant?

    Can you advise if SSL cert deployment in vCenter 5.0 and Update Manager is pretty much on the same lines as with vCenter 4.0?

    Thanks again

    Reply
  21. Andrew
    Andrew at |

    I would take caution before using this article with vCenter 5.x. What this article does not state is that unless you generate SEVERAL different sets of certs, one for each vCenter-related service (SSO, Web, etc.). Each service equates to running through this process over again, and each one is different.

    I highly suggest you read these two KB's first before trying this:

    http://kb.vmware.com/kb/2035011

    http://kb.vmware.com/kb/2037432

    Reply
  22. bolus14
    bolus14 at |

    I just followed this in my environment, we're running vSphere 5 U1 build 804277 for vSphere and build 914586 for ESXi.

    After exiting maintenance mode I still had to disconnect the host and reconnect it to clean up the election state. I just did the disconnect and reconnect through the vCenter client. So, I would say that steps 19 – 23 aren't needed, I still had to follow step 18.

    Reply
  23. FrustratedWithCerts
    FrustratedWithCerts at |

    I am running version 5.5 u1a, however, I have found that the SSL Thumbprint is still not being populated in the VPX_HOST table – even if I disconnect and reconnect. I was trying to go through the process of running the hostreconnect.pl script in vMA, however, since I almost never use the appliance, I don't know how to do simple tasks like upload the script to the appliance (and where in the file structure would it be?) to run the command. I have tried to navigate the filesystem logged in as vi-admin just to get a feel for the directories, but when a run an LS I only get the bin folder, and then run another LS and get nothing populated in that folder. If you could please give step by step instructions for step "16. Ensure that you have copied the HostReconnect.pl script to your vMA v5, you will need it soon." Thanks!

    Reply
  24. Cliff
    Cliff at |

    What’s interesting in our 5.0 U2 configuration, after the host is reconnected to vCenter everything works great with HA. However, in the SQL database when you compare the expected certificate thumbprints to the host certificate thumbprints, the expected ones are blank. The host certificate thumbprints are there and HA is reporting that everything is elected and green. VMware thought that part of the U1 fix was that the expected certificates are no longer populated in the vCenter database. Can someone else confirm that this is the case with 5.0 U2? The SQL query I used was as follows: “SELECT id,EXPECTED_SSL_THUMBPRINT,HOST_SSL_THUMBPRINT FROM dbo.VPX_HOST”. I also made sure that our vCenter’s had the option selected to verify the certificates.

    Reply
  25. Jesus Machado
    Jesus Machado at |

    i'm using esxi 5.0u3 and i think i followed you instructions to a t, and after the management agent resets, i try to log in to the esxi through the c++ client and it gives me a connection error.

    Reply
  26. ESX 5.0 CA Zerifikate erneuern
    ESX 5.0 CA Zerifikate erneuern at |

    […] Long White Virtual Clouds – The Trouble with CA SSL Certificates and ESXi 5 […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.