Home > Business Critical Applications, CA SSL Certificates, Security, VMware > Updating CA SSL Certificates in vSphere 5.1

Updating CA SSL Certificates in vSphere 5.1

Over the past few weeks I have been working behind the scenes with a team of people at VMware spread around the globe on the process to successfully change out the self-signed certificates in vSphere 5.1. With the introduction of Single Sign-On in vSphere 5.1 the process is somewhat more complicated than vSphere 5 (ok quite a lot more complicated). But now I’m able to bring you some of the solutions you’ve all been waiting for.

This work covers vCenter, and all the related core components such as SSO, Inventory Service, Update Manager etc. The great news is that this work has resulted in KB’s that I and a number of others have tested and verified to work with vSphere 5.1 GA for the Windows installable version of vCenter. There are also updates to some previously released KB’s for vSphere 5.0. These processes will also work with the recently released patches to vCenter. The KB articles for the vCenter Virtual Appliance edition will also be published shortly and I will update this article when they are available.

Below are the links to all of the articles and a note with regard to Update Manager. I want to say a massive thank you to all of the people at VMware that made this happen. It was a big team effort. I’m glad I could make a contribution to the effort.  I will be making sure the process is automated for you as part of the vCert Manager project that I’m working on. My goal would be to automate both the Windows Installable and Virtual Appliance editions for vSphere 5.1.

Note you should start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1.

Configuring CA signed certificates for VMware vCenter Server 5.0.x – http://kb.vmware.com/kb/2015421
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1 – http://kb.vmware.com/kb/2037581
Creating certificate requests and certificates for the vCenter 5.1 components – http://kb.vmware.com/kb/2037432
Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1 – http://kb.vmware.com/kb/2035011
Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1 – http://kb.vmware.com/kb/2035010
Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1 – http://kb.vmware.com/kb/2035009
Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment – http://kb.vmware.com/kb/2015387
Configuring CA signed certificates for ESXi 5.x hosts – http://kb.vmware.com/kb/2015499
Configuring CA signed certificates for vCenter 5.1 – http://kb.vmware.com/kb/2035005
Implementing CA signed SSL certificates with vSphere 5.0 – http://kb.vmware.com/kb/2015383
Implementing CA signed SSL certificates with vSphere 5.1 – http://kb.vmware.com/kb/2034833

VMware has also put out a blog article on these KB’s titled Implementing CA Signed SSL Certificates with vSphere 5.1.

Note: I have found a problem with Update Manager when vCenter system is an all in one configuration with everything on the same VM and using a local MS SQL Server database. Update Manager will not be able to log into or register with vCenter when the SSL certificates have been changed. This prevents you from updating the SSL certs for Update Manager and Update Manager may no longer work. This does not appear to occur when the MS SQL Server database is remote. I have not tested this with a local Oracle or other supported local database. I am continuing to work with VMware on this issue and will update this article when it is resolved. In the meantime I would recommend placing the databases for vCenter and it’s other core components on a separate VM, even in small environments.

Final Word

Although changing out the self-signed SSL Certificates is not simple, and is very time consuming to do manually, the above articles make it possible and give you a tested and verified process. I will be automating the processes to take this pain away as part of the vCert Manager project. In the meantime I would recommend you start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1 and work your way through the rest. I hope you get a lot of value out of these articles and the effort that the team has put in. As always your feedback is appreciated.

Derek Seaman has put together a great series of articles on VMware vCenter 5.1 Installation that includes coverage of SSL certificates. I would highly recommend you check it out. Derek has made a great contribution to the process for SSL Certificate Replacement in vSphere 5.1.

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.comby Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Simon Mijolovic
    October 27, 2012 at 1:23 pm | #1

    Thanks Michael! Let's get the word out!

  2. Rob
    October 27, 2012 at 5:02 pm | #2

    Nice work – Shame on VMware for making certificate management such an arduous process though.

  3. October 28, 2012 at 4:52 am | #3

    I wrote a 14 post blog series on installing vCenter 5.1 with trusted SSL certificates. I'm in the process of making minor tweaks for 5.1.0A. As I update each post I'm making note of any changes with 5.1.0A, or issues that have been resolved. Inventory service SSL replacement seems reliable now.

    http://derek858.blogspot.com/2012/09/vmware-vcent

    • October 29, 2012 at 12:00 am | #4

      Thanks Derek. That's a fantastic contribution. Will make sure I link through to it from this and my vSphere 5 SSL article also. I would suggest you align your articles with the information from the KB's as we have gone through and verified all the steps as working with all the components.

      • October 31, 2012 at 1:24 am | #5

        Yup, been pretty busy but will be tweaking the articles a little bit more. Thanks for the shout out!

  4. Hugh
    January 10, 2013 at 4:46 am | #6

    Has anyone successfully upgraded to vSphere 5.1.0.b using SSO in HA mode with SSL certs and a VIP on a load balancer?

    I've engaged VMware technical support and not one person on their floor of technicians has done an upgrade to 5.1 using SSO in HA configuration with a load balancer and SSL certificates. VMware's documentation isn't great for the SSL part when using a load balancer with SSO in HA mode….. Its ok if you do the single vCenter, SSO, Inv all in one install for small environments…but not if you want redundancy.

    I'd be interested if anyone in VMware support has successfully got this working?

    • @vcdxnz001
      January 10, 2013 at 7:48 pm | #7

      Hi Hugh, Not sure about the guys in Support, but I'd suggest VMware PSO has likely done this and potentially some of the VMware Partners. I haven't tried the update to 5.1.0b in that scenario myself yet. Have you considered a brief T&M engagement with VMware PSO?

  5. Hugh
    January 10, 2013 at 10:34 pm | #8

    Hi Micheal,

    We have considered it, but because we pay a lot for Enterprise edition licenses, VMware should provide proper documentation or make it simpler to upgrade to 5.1 and also prepare their technical staff to be able to support the more complex installs, such as the SSO servers in HA config with SSL certs. Many in the VMware community think VMware has really dropped the ball on this one.

  6. Jonathan
    July 25, 2013 at 4:39 pm | #9

    There were 4 points that I thought deserved clarification and used the feedback link as well as a SR to encourage on KB 2037432.

    1. They indicate that the DN must be unique via OU matching the component function. They do not however list what to do if you have multiple servers running the same function (i.e. multiple vCenters). In this case, would the different CN be enough or do the OU need to not only be the function but vCenter environment.

    2. They do not have a warning that the real hostname FQDN must be last in the SAN list. http://virtuallyhyper.com/2012/08/srm-5-x-custom-

    3. In KB 2015499, they reference 2037432 but to not provide a suggestion on what a proper OU would be. This is also related to the first question.

    4. Is the name rui.csr/key/cer required or just conventional? When dealing with a large number of certs, it makes more sense to prefix the host shortname just to be certain you don't get your rui* mixed up accidentally.

    • @vcdxnz001
      July 26, 2013 at 10:04 pm | #10

      Hi Jonathan, To answer your questions, 1. CN change is fine. So you can have the same OU on multiple servers because the CN is different and therefore the DN is then unique. 2. Doesn't apply unless you're trying to apply certs to SRM. That advice is only for SRM. 3. There are example CSR's that include the OU attribute. You can choose to just copy those or choose your own. 4. The name needs to be rui. If you want to automate the process check out the article I wrote about vCert Manager, which is being developed by one of VMware's partners. Also check out VMware's cert tool.

  1. No trackbacks yet.

Leave a Reply

%d bloggers like this: