16 Responses

  1. William Lam
    William Lam at |

    Michael,

    To help simplify updating the SSL certs for the first two paths (WebUI & vCenter) in VCSA:

    /opt/vmware/etc/lighttpd/

    /etc/vmware-vpx/ssl

    You can use "vpxd_servicecfg" utility to update the certificate, take a look at this article for more details
    http://www.virtuallyghetto.com/2012/02/automating

    vpxd_servicecfg service stop

    vpxd_servicecfg certificate change rui.crt rui.key

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Thanks for the tip William. I'll update the article. That will make things a lot easier.

      Reply
  2. Wan
    Wan at |

    I followed the steps up to step 31 and got error: cannot conntact vsphere web client service. I started the service and re-run the command. Got same error and the service is stopped again. Please advise.

    Reply
  3. @vcdxnz001
    @vcdxnz001 at |

    Hi Wan, Have you attempted rebooting your vCenter Server Appliance? If you can't connect to the vSphere Web Client service then it's possible something is wrong with the command line as you entered it. Is the vSphere Web Client service running?

    Reply
    1. Wan
      Wan at |

      Have reboot a few times. Not good.

      Found another article on changing ssl cert. Follow through and updated cert successfully.

      Reply
      1. @vcdxnz001
        @vcdxnz001 at |

        Hi Wan, Could you share a link to the article? What was the solution to your particular problem? Most of the problems in my experience have been due to certificates not created with the correct attributes. If you would mind sharing what you did I'd be happy to ensure that this article is updated to ensure accuracy. When I published this I had it tested in my lab and also by a couple of customers. But every environment is different and dealing with PKI and CA's is very complex by it's nature.

      2. @vcdxnz001
        @vcdxnz001 at |

        I have now included a warning in the post to use Text transfer mode. Without using Text transfer mode in WinSCP you will corrupt your certificates with additional ASCII characters. The auto mode is not sufficient. I have also included a reference to Doug Baer's article on the same subject.

  4. Updating CA SSL Certificates in vSphere 5 « Long White Virtual Clouds

    […] vCenter Server Virtual Appliance – Changing SSL Certs Made Easy […]

  5. Hugo Phan
    Hugo Phan at |

    Thanks for the link Michael.

    Reply
  6. Doug Baer
    Doug Baer at |

    Thanks for the great article, and the backlink 🙂

    I totally agree that dealing with PKI is complicated by nature and pretty much misunderstood across the board.

    Reply
  7. Installing SRM with custom certificates | VirtuallyHyperVirtuallyHyper

    […] certificates. If you are looking for some more detail please see this blog post or this one.  See this blog post if you are using the Linux vCenter […]

  8. andy franks
    andy franks at |

    Found that you might need to install the root certificate into the java keystore first before the server certificate. I did :

    keytool -import -trustcacerts -alias root -file root.cer -keystore /usr/lib/vmware-vsphere-client/server/config/keystore -storetype JCEKS -storepass testpassword

    HTH someone

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Hi Andy, Yes the root cert and any intermediate CA certs should be pre-trusted in the keystores. They also need to be trusted by the other systems in the PKI.

      Reply
  9. Doug
    Doug at |

    Looks like the process is different for 5.1. 5.1 doesn't have the directory /usr/lib/vmware-vpx/jre/bin/

    Reply
    1. @vcdxnz001
      @vcdxnz001 at |

      Hi Doug,

      There are a lot of changes for 5.1. I haven't yet taken a look at it. There is a guide as part of the doc set this time around though. Rest assured if necessary i'll write about it when I've had time to cover it.

      Reply
      1. Doug
        Doug at |

        It looks like I was able to get SSL for the web client working in 5.1 by using the following chain of commands:

        service vmware-vpxd stop

        service vmware-sso stop

        vpxd_servicecfg certificate change newrui.crt newrui.key

        /usr/bin/openssl pkcs12 -export -in /etc/vmware-vpx/ssl/rui.crt -inkey /etc/vmware-vpx/ssl/rui.key -name “rui” -passout pass:testpassword -out /etc/vmware-vpx/ssl/rui.pfx

        And then a reboot.

        The first time I had my new cert just named rui.crt and rui.key and it didn't take. After renaming them to "newrui" it worked. I'm not sure if that was a fluke but if anyone else has trouble with this script, try renaming your new cert files. Also if you get an error code you can get more info by typing:

        cat /usr/sbin/vpxd_servicecfg | grep

        I'm very close to getting it working. But even though my EXSi host is configured with the same wildcard certificate (and the Windows client can access it via SSL with no popup warning), when I try to add that host via the web client I get this error:

        License file download from to vCenter Server failed due to exception: vim.fault.SSLVerifyFault.

        I'm guessing this means there is another place I need to add in my certificate.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.