Updating CA SSL Certificates in vSphere 5.1
Over the past few weeks I have been working behind the scenes with a team of people at VMware spread around the globe on the process to successfully change out the self-signed certificates in vSphere 5.1. With the introduction of Single Sign-On in vSphere 5.1 the process is somewhat more complicated than vSphere 5 (ok quite a lot more complicated). But now I’m able to bring you some of the solutions you’ve all been waiting for.
This work covers vCenter, and all the related core components such as SSO, Inventory Service, Update Manager etc. The great news is that this work has resulted in KB’s that I and a number of others have tested and verified to work with vSphere 5.1 GA for the Windows installable version of vCenter. There are also updates to some previously released KB’s for vSphere 5.0. These processes will also work with the recently released patches to vCenter. The KB articles for the vCenter Virtual Appliance edition will also be published shortly and I will update this article when they are available.
Below are the links to all of the articles and a note with regard to Update Manager. I want to say a massive thank you to all of the people at VMware that made this happen. It was a big team effort. I’m glad I could make a contribution to the effort. I will be making sure the process is automated for you as part of the vCert Manager project that I’m working on. My goal would be to automate both the Windows Installable and Virtual Appliance editions for vSphere 5.1.
Note you should start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1.
|Configuring CA signed certificates for VMware vCenter Server 5.0.x – http://kb.vmware.com/kb/2015421|
|Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1 – http://kb.vmware.com/kb/2037581|
|Creating certificate requests and certificates for the vCenter 5.1 components – http://kb.vmware.com/kb/2037432|
|Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1 – http://kb.vmware.com/kb/2035011|
|Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1 – http://kb.vmware.com/kb/2035010|
|Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1 – http://kb.vmware.com/kb/2035009|
|Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment – http://kb.vmware.com/kb/2015387|
|Configuring CA signed certificates for ESXi 5.x hosts – http://kb.vmware.com/kb/2015499|
|Configuring CA signed certificates for vCenter 5.1 – http://kb.vmware.com/kb/2035005|
|Implementing CA signed SSL certificates with vSphere 5.0 – http://kb.vmware.com/kb/2015383|
|Implementing CA signed SSL certificates with vSphere 5.1 – http://kb.vmware.com/kb/2034833|
VMware has also put out a blog article on these KB’s titled Implementing CA Signed SSL Certificates with vSphere 5.1.
Note: I have found a problem with Update Manager when vCenter system is an all in one configuration with everything on the same VM and using a local MS SQL Server database. Update Manager will not be able to log into or register with vCenter when the SSL certificates have been changed. This prevents you from updating the SSL certs for Update Manager and Update Manager may no longer work. This does not appear to occur when the MS SQL Server database is remote. I have not tested this with a local Oracle or other supported local database. I am continuing to work with VMware on this issue and will update this article when it is resolved. In the meantime I would recommend placing the databases for vCenter and it’s other core components on a separate VM, even in small environments.
Although changing out the self-signed SSL Certificates is not simple, and is very time consuming to do manually, the above articles make it possible and give you a tested and verified process. I will be automating the processes to take this pain away as part of the vCert Manager project. In the meantime I would recommend you start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1 and work your way through the rest. I hope you get a lot of value out of these articles and the effort that the team has put in. As always your feedback is appreciated.
Derek Seaman has put together a great series of articles on VMware vCenter 5.1 Installation that includes coverage of SSL certificates. I would highly recommend you check it out. Derek has made a great contribution to the process for SSL Certificate Replacement in vSphere 5.1.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.