Over the past few weeks I have been working behind the scenes with a team of people at VMware spread around the globe on the process to successfully change out the self-signed certificates in vSphere 5.1. With the introduction of Single Sign-On in vSphere 5.1 the process is somewhat more complicated than vSphere 5 (ok quite a lot more complicated). But now I’m able to bring you some of the solutions you’ve all been waiting for.
This work covers vCenter, and all the related core components such as SSO, Inventory Service, Update Manager etc. The great news is that this work has resulted in KB’s that I and a number of others have tested and verified to work with vSphere 5.1 GA for the Windows installable version of vCenter. There are also updates to some previously released KB’s for vSphere 5.0. These processes will also work with the recently released patches to vCenter. The KB articles for the vCenter Virtual Appliance edition will also be published shortly and I will update this article when they are available.
Below are the links to all of the articles and a note with regard to Update Manager. I want to say a massive thank you to all of the people at VMware that made this happen. It was a big team effort. I’m glad I could make a contribution to the effort. I will be making sure the process is automated for you as part of the vCert Manager project that I’m working on. My goal would be to automate both the Windows Installable and Virtual Appliance editions for vSphere 5.1.
Note you should start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1.
Configuring CA signed certificates for VMware vCenter Server 5.0.x – http://kb.vmware.com/kb/2015421 |
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1 – http://kb.vmware.com/kb/2037581 |
Creating certificate requests and certificates for the vCenter 5.1 components – http://kb.vmware.com/kb/2037432 |
Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1 – http://kb.vmware.com/kb/2035011 |
Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1 – http://kb.vmware.com/kb/2035010 |
Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1 – http://kb.vmware.com/kb/2035009 |
Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment – http://kb.vmware.com/kb/2015387 |
Configuring CA signed certificates for ESXi 5.x hosts – http://kb.vmware.com/kb/2015499 |
Configuring CA signed certificates for vCenter 5.1 – http://kb.vmware.com/kb/2035005 |
Implementing CA signed SSL certificates with vSphere 5.0 – http://kb.vmware.com/kb/2015383 |
Implementing CA signed SSL certificates with vSphere 5.1 – http://kb.vmware.com/kb/2034833 |
VMware has also put out a blog article on these KB’s titled Implementing CA Signed SSL Certificates with vSphere 5.1.
Note: I have found a problem with Update Manager when vCenter system is an all in one configuration with everything on the same VM and using a local MS SQL Server database. Update Manager will not be able to log into or register with vCenter when the SSL certificates have been changed. This prevents you from updating the SSL certs for Update Manager and Update Manager may no longer work. This does not appear to occur when the MS SQL Server database is remote. I have not tested this with a local Oracle or other supported local database. I am continuing to work with VMware on this issue and will update this article when it is resolved. In the meantime I would recommend placing the databases for vCenter and it’s other core components on a separate VM, even in small environments.
Final Word
Although changing out the self-signed SSL Certificates is not simple, and is very time consuming to do manually, the above articles make it possible and give you a tested and verified process. I will be automating the processes to take this pain away as part of the vCert Manager project. In the meantime I would recommend you start with KB 2034833 – Implementing CA signed SSL certificates with vSphere 5.1 and work your way through the rest. I hope you get a lot of value out of these articles and the effort that the team has put in. As always your feedback is appreciated.
Derek Seaman has put together a great series of articles on VMware vCenter 5.1 Installation that includes coverage of SSL certificates. I would highly recommend you check it out. Derek has made a great contribution to the process for SSL Certificate Replacement in vSphere 5.1.
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Thanks Michael! Let's get the word out!
Nice work – Shame on VMware for making certificate management such an arduous process though.
I wrote a 14 post blog series on installing vCenter 5.1 with trusted SSL certificates. I'm in the process of making minor tweaks for 5.1.0A. As I update each post I'm making note of any changes with 5.1.0A, or issues that have been resolved. Inventory service SSL replacement seems reliable now.
http://derek858.blogspot.com/2012/09/vmware-vcent…
Thanks Derek. That's a fantastic contribution. Will make sure I link through to it from this and my vSphere 5 SSL article also. I would suggest you align your articles with the information from the KB's as we have gone through and verified all the steps as working with all the components.
Yup, been pretty busy but will be tweaking the articles a little bit more. Thanks for the shout out!
[…] I wrote about Updating CA SSL Certificates in vSphere 5.1 which applied to the Windows installable version of the vCenter 5.1 and it’s supporting […]
[…] Updating CA SSL Certificates in vSphere 5.1 […]
[…] Webster has a great write-up on replacing CA SSL certificates in vSphere 5.1. Thanks for all the effort pulling this together, […]
[…] director of IT Solutions 2000 Ltd., a VMware consultancy based in Auckland, New Zealand, noted in a blog post that there’s still a ‘gotcha’ with SSL certificates in a certain […]
[…] into KB articles. We have tested the procedures. I would recommend that you use these articles – Updating CA SSL Certificates in vSphere 5.1 and Updating CA SSL Certificates in vSphere 5.1 vCenter Virtual Appliance. I expect VMware will […]
Has anyone successfully upgraded to vSphere 5.1.0.b using SSO in HA mode with SSL certs and a VIP on a load balancer?
I've engaged VMware technical support and not one person on their floor of technicians has done an upgrade to 5.1 using SSO in HA configuration with a load balancer and SSL certificates. VMware's documentation isn't great for the SSL part when using a load balancer with SSO in HA mode….. Its ok if you do the single vCenter, SSO, Inv all in one install for small environments…but not if you want redundancy.
I'd be interested if anyone in VMware support has successfully got this working?
Hi Hugh, Not sure about the guys in Support, but I'd suggest VMware PSO has likely done this and potentially some of the VMware Partners. I haven't tried the update to 5.1.0b in that scenario myself yet. Have you considered a brief T&M engagement with VMware PSO?
Hi Micheal,
We have considered it, but because we pay a lot for Enterprise edition licenses, VMware should provide proper documentation or make it simpler to upgrade to 5.1 and also prepare their technical staff to be able to support the more complex installs, such as the SSO servers in HA config with SSL certs. Many in the VMware community think VMware has really dropped the ball on this one.
[…] improve the manual process documented in the earlier KB’s slightly, which had 136 steps (See Updating CA SSL Certificates in vSphere 5.1) it’s not really what I’d call real automation of the process. It doesn’t […]
There were 4 points that I thought deserved clarification and used the feedback link as well as a SR to encourage on KB 2037432.
1. They indicate that the DN must be unique via OU matching the component function. They do not however list what to do if you have multiple servers running the same function (i.e. multiple vCenters). In this case, would the different CN be enough or do the OU need to not only be the function but vCenter environment.
2. They do not have a warning that the real hostname FQDN must be last in the SAN list. http://virtuallyhyper.com/2012/08/srm-5-x-custom-…
3. In KB 2015499, they reference 2037432 but to not provide a suggestion on what a proper OU would be. This is also related to the first question.
4. Is the name rui.csr/key/cer required or just conventional? When dealing with a large number of certs, it makes more sense to prefix the host shortname just to be certain you don't get your rui* mixed up accidentally.
Hi Jonathan, To answer your questions, 1. CN change is fine. So you can have the same OU on multiple servers because the CN is different and therefore the DN is then unique. 2. Doesn't apply unless you're trying to apply certs to SRM. That advice is only for SRM. 3. There are example CSR's that include the OU attribute. You can choose to just copy those or choose your own. 4. The name needs to be rui. If you want to automate the process check out the article I wrote about vCert Manager, which is being developed by one of VMware's partners. Also check out VMware's cert tool.