Updating CA SSL Certificates in vSphere 5.1
Over the past few weeks I have been working behind the scenes with a team of people at VMware spread around the globe on the process to successfully change out the self-signed certificates in vSphere 5.1. With the introduction of Single Sign-On in vSphere 5.1 the process is somewhat more complicated than vSphere 5 (ok quite a lot more complicated). But now I’m able to bring you some of the solutions you’ve all been waiting for.
This work covers vCenter, and all the related core components such as SSO, Inventory Service, Update Manager etc. The great news is that this work has resulted in KB’s that I and a number of others have tested and verified to work with vSphere 5.1 GA for the Windows installable version of vCenter. There are also updates to some previously released KB’s for vSphere 5.0. These processes will also work with the recently released patches to vCenter. The KB articles for the vCenter Virtual Appliance edition will also be published shortly and I will update this article when they are available.
Below are the links to all of the articles and a note with regard to Update Manager. I want to say a massive thank you to all of the people at VMware that made this happen. It was a big team effort. I’m glad I could make a contribution to the effort. I will be making sure the process is automated for you as part of the vCert Manager project that I’m working on. My goal would be to automate both the Windows Installable and Virtual Appliance editions for vSphere 5.1.
Note you should start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1.
| Configuring CA signed certificates for VMware vCenter Server 5.0.x - http://kb.vmware.com/kb/2015421 |
| Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1 - http://kb.vmware.com/kb/2037581 |
| Creating certificate requests and certificates for the vCenter 5.1 components - http://kb.vmware.com/kb/2037432 |
| Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1 - http://kb.vmware.com/kb/2035011 |
| Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1 - http://kb.vmware.com/kb/2035010 |
| Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1 - http://kb.vmware.com/kb/2035009 |
| Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment - http://kb.vmware.com/kb/2015387 |
| Configuring CA signed certificates for ESXi 5.x hosts - http://kb.vmware.com/kb/2015499 |
| Configuring CA signed certificates for vCenter 5.1 - http://kb.vmware.com/kb/2035005 |
| Implementing CA signed SSL certificates with vSphere 5.0 - http://kb.vmware.com/kb/2015383 |
| Implementing CA signed SSL certificates with vSphere 5.1 - http://kb.vmware.com/kb/2034833 |
VMware has also put out a blog article on these KB’s titled Implementing CA Signed SSL Certificates with vSphere 5.1.
Note: I have found a problem with Update Manager when vCenter system is an all in one configuration with everything on the same VM and using a local MS SQL Server database. Update Manager will not be able to log into or register with vCenter when the SSL certificates have been changed. This prevents you from updating the SSL certs for Update Manager and Update Manager may no longer work. This does not appear to occur when the MS SQL Server database is remote. I have not tested this with a local Oracle or other supported local database. I am continuing to work with VMware on this issue and will update this article when it is resolved. In the meantime I would recommend placing the databases for vCenter and it’s other core components on a separate VM, even in small environments.
Final Word
Although changing out the self-signed SSL Certificates is not simple, and is very time consuming to do manually, the above articles make it possible and give you a tested and verified process. I will be automating the processes to take this pain away as part of the vCert Manager project. In the meantime I would recommend you start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1 and work your way through the rest. I hope you get a lot of value out of these articles and the effort that the team has put in. As always your feedback is appreciated.
Derek Seaman has put together a great series of articles on VMware vCenter 5.1 Installation that includes coverage of SSL certificates. I would highly recommend you check it out. Derek has made a great contribution to the process for SSL Certificate Replacement in vSphere 5.1.
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Leave a Reply
Mako Networks
Mako Networks
Your Author: Michael Webster, VCDX-066, vExpert 2012
IT Solutions 2000 Ltd
More sponsors welcomed. Contact me directly via the Author Page.
Thanks Michael! Let’s get the word out!
Nice work – Shame on VMware for making certificate management such an arduous process though.
I wrote a 14 post blog series on installing vCenter 5.1 with trusted SSL certificates. I’m in the process of making minor tweaks for 5.1.0A. As I update each post I’m making note of any changes with 5.1.0A, or issues that have been resolved. Inventory service SSL replacement seems reliable now.
http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-1.html
Thanks Derek. That’s a fantastic contribution. Will make sure I link through to it from this and my vSphere 5 SSL article also. I would suggest you align your articles with the information from the KB’s as we have gone through and verified all the steps as working with all the components.
Yup, been pretty busy but will be tweaking the articles a little bit more. Thanks for the shout out!
Has anyone successfully upgraded to vSphere 5.1.0.b using SSO in HA mode with SSL certs and a VIP on a load balancer?
I’ve engaged VMware technical support and not one person on their floor of technicians has done an upgrade to 5.1 using SSO in HA configuration with a load balancer and SSL certificates. VMware’s documentation isn’t great for the SSL part when using a load balancer with SSO in HA mode….. Its ok if you do the single vCenter, SSO, Inv all in one install for small environments…but not if you want redundancy.
I’d be interested if anyone in VMware support has successfully got this working?
Hi Hugh, Not sure about the guys in Support, but I’d suggest VMware PSO has likely done this and potentially some of the VMware Partners. I haven’t tried the update to 5.1.0b in that scenario myself yet. Have you considered a brief T&M engagement with VMware PSO?
Hi Micheal,
We have considered it, but because we pay a lot for Enterprise edition licenses, VMware should provide proper documentation or make it simpler to upgrade to 5.1 and also prepare their technical staff to be able to support the more complex installs, such as the SSO servers in HA config with SSL certs. Many in the VMware community think VMware has really dropped the ball on this one.