Home > Business Critical Applications, CA SSL Certificates, Security, VMware > Updating CA SSL Certificates in vSphere 5

Updating CA SSL Certificates in vSphere 5

Many of you will have read my articles regarding changing SSL certificates in vSphere 5 components for custom CA SSL certificates. My motivation for writing them was I felt there was little good information around that would actually help people with this process. It has also traditionally been very difficult and frustrating, not to mention error prone. The good news is that my work has not gone unnoticed with VMware and there is now work underway to improve the public KB’s and documentation that is available to assist customers. Here are some of the VMware KB’s that have been or will be updated. I’m also including links to all of my recent posts regarding SSL certificates, which I will keep updated as I add to it, so you have one index page to visit.

Long White Virtual Clouds Articles on CA SSL Certificates

If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments. 

This list below contains links to all of the relevant articles I have posted regarding changing SSL certificates in vSphere 5 and related products. Each link will open in a new window. I have tested the processes outlined in these articles and verified them with customers. This work is being used to update the VMware KB articles.

Updating CA SSL Certificates in vSphere 5.1

Updating CA SSL Certificates in vSphere 5.1 vCenter Virtual Appliance

Changing vCenter Heartbeat to CA SSL Certificates

Updating SSL Certificate in vShield Manager Made Easy

Common Mistakes Implementing CA Signed SSL Certs in vSphere

Best Order for Changing SSL Certs in vSphere Environments

Why change VMware default self-signed SSL Certs?

Virtual Infrastructure Navigator breaks when vCenter SSL Cert Changed

vCenter Server Virtual Appliance – Changing SSL Certs Made Easy

vSphere Web Client SSL Cert not updated after vCenter SSL Cert Changed

The Trouble with CA SSL Certificates and vCenter 5

The Trouble with CA SSL Certificates and ESXi 5

If you have trouble following any of the above articles or you have a request with regard to changing SSL certificates in another VMware product please get in touch via the feedback form on the Author Page. As always your feedback and comments are greatly appreciated. There are still traps that might run into as PKI and SSL Cert generation is particularly complex. So do contact me if you are having a problem with any of the instructions. .

VMware KB Articles that have been or will be updated

In addition to the KB’s below a new general KB article with regard to changing SSL certificates in vSphere 5 will be published. This KB will bring together the relevant steps and will hopefully cover the full VMware Cloud Infrastructure Management (CIM) suite. As I become aware of new or updated articles I will include them here. So check back regularly to monitor progress.

Thanks to the great work of the VMware team for getting these articles created and updated.

VMware KB 2015387 –  Configuring OpenSSL for installation and configuration of CA signed certificates in vSphere environments – Created based on my work
VMware KB 2015421 – Configuring CA Signed certificates for vCenter 5.0 – Created based on my work
VMware KB 2015499 – Configuring CA Signed certificates for ESXi 5.0 – Created based on my work
VMware KB 2009857 – Certificate warning is reported even after replacing vCenter Server 5.0 default SSL certificates with custom SSL certificates
– Updated based on my work
VMware KB 1023011 – Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility

VMware KB 2007824 – After upgrading to vCenter Server 5.0, the vCenter Service Stats and Hardware Status tab cannot be accessed

VMware KB 1013472 – vCenter Server Service Status plug-in cannot be enabled

Other CA SSL Certificate Resources for vSphere 5

Generating SSL Certificates for vCenter Operations Manager 5.0 – Erik Bussink

vCenter Operations 5.x vCenter Plugin uses IP instead of DNS hostname – Josh Perkins

Creating a Certificate with Multiple Hostnames – Greg Rowe

vSphere 5 Certificates – Replacing the Default vCenter 5 Server Certificate – Julian Wood

vSphere 5 Certificates – Replacing the Default Update Manager Server Certificate – Julian Wood

Import an OpenSSL CSR into a Windows CA – Christopher Bean

Replace SSL Certificates: Replace vCenter SSL Certificates - Rynardt Spies

Replacing vCenter 4.1 SSL Certificate with Active Directory Issued One – Gavin Adams

Replacing vCenter SSL Certificate with Certificate Issued by Microsoft Certificate Authority – Josh Perkins

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Dean Colpitts
    February 28, 2012 at 12:36 pm | #1

    Hmm – nice timing on the posting. Last weekend I attempted to do just this on my vCenter server (to satisfy XenDesktop 5.5) using our wildcard GoDaddy SSL certificate (i.e. *.domain.local) and failed. I tried again this morning, and even with this updated KB article (KB Article: 2009857), my vCenter Service Status and Hardware Status tabs fail to work (as per KB Article: 2007824). I tried this a couple of times now using a .pfx with the entire certificate chain and one without the entire certificate chain. I had also noticed a posting somewhere along the way that that if the rui.crt had any text above "—–BEGIN CERTIFICATE—–" that you would get errors – removing this text didn't help.

    Any further thoughts or solutions?

    • February 28, 2012 at 7:57 pm | #2

      Hi Dean,

      I would recommend that you review my post on updating vCenter Certificates. There are a lot of steps to run through to successfully make it work. You have to get the exact right attributes in your certificate and you have to ensure the integrity of the certificate file from any unnecessary characters. You also have to produce the PFX file with special attributes. Follow the process in The Trouble with CA SSL Certificates and vCenter 5. I've been helping a couple of people with this and the biggest problem has been missing attributes from the generated certificates.

  2. Jose Garcia
    April 20, 2012 at 7:58 am | #3

    Hello,

    I don't know if you are aware of KB: 2013352 (Replacing the default SSL certificates for VMware vCenter Server Appliance)

    While the steps provided seem fairly simple, they do not work.

    When restarting the vpxd service as instructed, the following error is thrown:

    "Waiting for vpxd to initialize: .failed"

    Also, no information is provided regarding the password to be used in the PFX certificate file. Can we use any password?

  1. No trackbacks yet.

Leave a Reply

%d bloggers like this: