Many of you will have read my articles regarding changing SSL certificates in vSphere 5 components for custom CA SSL certificates. My motivation for writing them was I felt there was little good information around that would actually help people with this process. It has also traditionally been very difficult and frustrating, not to mention error prone. The good news is that my work has not gone unnoticed with VMware and there is now work underway to improve the public KB’s and documentation that is available to assist customers. Here are some of the VMware KB’s that have been or will be updated. I’m also including links to all of my recent posts regarding SSL certificates, which I will keep updated as I add to it, so you have one index page to visit.
Long White Virtual Clouds Articles on CA SSL Certificates
If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments.
This list below contains links to all of the relevant articles I have posted regarding changing SSL certificates in vSphere 5 and related products. Each link will open in a new window. I have tested the processes outlined in these articles and verified them with customers. This work is being used to update the VMware KB articles.
Updating CA SSL Certificates in vSphere 5.1
Updating CA SSL Certificates in vSphere 5.1 vCenter Virtual Appliance
Changing vCenter Heartbeat to CA SSL Certificates
Updating SSL Certificate in vShield Manager Made Easy
Common Mistakes Implementing CA Signed SSL Certs in vSphere
Best Order for Changing SSL Certs in vSphere Environments
Why change VMware default self-signed SSL Certs?
Virtual Infrastructure Navigator breaks when vCenter SSL Cert Changed
vCenter Server Virtual Appliance – Changing SSL Certs Made Easy
vSphere Web Client SSL Cert not updated after vCenter SSL Cert Changed
The Trouble with CA SSL Certificates and vCenter 5
The Trouble with CA SSL Certificates and ESXi 5
If you have trouble following any of the above articles or you have a request with regard to changing SSL certificates in another VMware product please get in touch via the feedback form on the Author Page. As always your feedback and comments are greatly appreciated. There are still traps that might run into as PKI and SSL Cert generation is particularly complex. So do contact me if you are having a problem with any of the instructions. .
VMware KB Articles that have been or will be updated
In addition to the KB’s below a new general KB article with regard to changing SSL certificates in vSphere 5 will be published. This KB will bring together the relevant steps and will hopefully cover the full VMware Cloud Infrastructure Management (CIM) suite. As I become aware of new or updated articles I will include them here. So check back regularly to monitor progress.
Thanks to the great work of the VMware team for getting these articles created and updated.
VMware KB 2015387 – Configuring OpenSSL for installation and configuration of CA signed certificates in vSphere environments – Created based on my work
VMware KB 2015421 – Configuring CA Signed certificates for vCenter 5.0 – Created based on my work
VMware KB 2015499 – Configuring CA Signed certificates for ESXi 5.0 – Created based on my work
VMware KB 2009857 – Certificate warning is reported even after replacing vCenter Server 5.0 default SSL certificates with custom SSL certificates – Updated based on my work
VMware KB 1023011 – Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility
VMware KB 2007824 – After upgrading to vCenter Server 5.0, the vCenter Service Stats and Hardware Status tab cannot be accessed
VMware KB 1013472 – vCenter Server Service Status plug-in cannot be enabled
Other CA SSL Certificate Resources for vSphere 5
Generating SSL Certificates for vCenter Operations Manager 5.0 – Erik Bussink
vCenter Operations 5.x vCenter Plugin uses IP instead of DNS hostname – Josh Perkins
Creating a Certificate with Multiple Hostnames – Greg Rowe
vSphere 5 Certificates – Replacing the Default vCenter 5 Server Certificate – Julian Wood
vSphere 5 Certificates – Replacing the Default Update Manager Server Certificate – Julian Wood
Import an OpenSSL CSR into a Windows CA – Christopher Bean
Replace SSL Certificates: Replace vCenter SSL Certificates – Rynardt Spies
Replacing vCenter 4.1 SSL Certificate with Active Directory Issued One – Gavin Adams
Replacing vCenter SSL Certificate with Certificate Issued by Microsoft Certificate Authority – Josh Perkins
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Hmm – nice timing on the posting. Last weekend I attempted to do just this on my vCenter server (to satisfy XenDesktop 5.5) using our wildcard GoDaddy SSL certificate (i.e. *.domain.local) and failed. I tried again this morning, and even with this updated KB article (KB Article: 2009857), my vCenter Service Status and Hardware Status tabs fail to work (as per KB Article: 2007824). I tried this a couple of times now using a .pfx with the entire certificate chain and one without the entire certificate chain. I had also noticed a posting somewhere along the way that that if the rui.crt had any text above "—–BEGIN CERTIFICATE—–" that you would get errors – removing this text didn't help.
Any further thoughts or solutions?
Hi Dean,
I would recommend that you review my post on updating vCenter Certificates. There are a lot of steps to run through to successfully make it work. You have to get the exact right attributes in your certificate and you have to ensure the integrity of the certificate file from any unnecessary characters. You also have to produce the PFX file with special attributes. Follow the process in The Trouble with CA SSL Certificates and vCenter 5. I've been helping a couple of people with this and the biggest problem has been missing attributes from the generated certificates.
[…] The best advice here is to follow the steps in my blog articles (Refer to the posts listed Updating CA SSL Certificates in vSphere 5) carefully and watch out for updated VMware documentation and KB articles. Always have a backup of […]
[…] you are probably aware by now (If you’ve read my previous posts on the SSL Cert Topic – Updating CA SSL Certs in vSphere 5) there have been a number of examples where the documentation isn’t quite complete or easy […]
Hello,
I don't know if you are aware of KB: 2013352 (Replacing the default SSL certificates for VMware vCenter Server Appliance)
While the steps provided seem fairly simple, they do not work.
When restarting the vpxd service as instructed, the following error is thrown:
"Waiting for vpxd to initialize: .failed"
Also, no information is provided regarding the password to be used in the PFX certificate file. Can we use any password?
Hi Jose, The password for the pfx must be testpassword. There is a link at the bottom of the KB that points you to generating the customer SSL certificate, you can also follow those instructions. Here is the link. http://kb.vmware.com/kb/1029944.
You should review my instructions for changing the SSL cert on the vCenter Server Appliance. http://longwhiteclouds.com/2012/02/13/vcenter-ser…. I hope this helps.
[…] you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and […]
[…] details on how to replace the default SSL certificates, you should take a look at the fantastic articles written by Michael Webster who details the process, provides some troubleshooting steps and best […]