Replace vCenter 4.1 default SSL certificate with a trusted certificate.

Published on
10,977 Points
1 Endorsement
Last Modified:
Justin C
AWS solutions and security architect with a strong background in VMware and security compliance.
vSphere 4.1 includes a self-signed SSL certificate upon installation.  In some situations, especially in larger environments with an existing PKI infrastructure, you may need to replace this with a valid SSL certificate for your environment.  VMware published a document (linked below) on doing this, however it can be a little confusing and I had to do some extra googling to figure out/understand the entire process, so I’ve broken it down into (hopefully) easy to follow steps.  These steps assume you have an existing vCenter instance in place and the file paths are valid for Server 2008 R2 (if you’re using Server 2003 adjust accordingly).  I hope someone finds this useful!

1.      Obtain openssl from the openssl.org and copy it to the vCenter host.
2.      Install openssl using all defaults.  
3.      Create a directory on the C: drive named “ssl”.
4.      Browse to C:\Users\All Users\VMware\VMware VirtualCenter\SSL
5.      Copy the rui.key file to C:\ssl
6.      Open a command prompt by clicking Start, right-clicking on the Command Line icon and selecting Run as administrator.
7.      Click Yes when prompted.
8.      Change directories to C:\ssl (cd c:\ssl)
9.      Use openssl to create a certificate signing request for the vCenter host, as indicated here (note the keylength is 2048-bits, your environment may require something different):

c:\openssl-win64\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes -days 3650

10.      Enter the Country, State, locality, organization, Organizational Unit, and FQDN of the vCenter server for the Common Name. Leave the Email Address blank, or fill it in depending on your local certificate process.
11.      Copy the generated certificate request and paste it into a new file named rui.csr.
12.      The rui.csr file is your certificate request and should be submitted to your local CA.  At this point, follow your local procedures for submitting a certificate request as they will vary depending upon company policies and the type of CA your environment employs.  
13.      Once the request is approved and your certificate is generated, copy the “Base 64 encoded certificate” certificate data and paste it into a new file in the “c:\ssl” directory named rui.crt.  Make sure to delete any trailing spaces at the bottom of the file, notepad likes to add those sometimes.
14.      Run the following command to generate the PKCS formatted file needed by vCenter:

c:\openssl-win64\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword –out rui.pfx

NOTE: You must use “pass:testpassword” as the option for the “passout” option as this is hardcoded into the Tomcat instance used by vCenter.  Changing this password requires modifying Tomcat configuration files and is not recommended.  

15.      Browse to C:\Program Data\VMware\VMware\VirtualCenter\SSL, move the three files in the directory to C:\Program Data\VMware\VMware\VirtualCenter\Backup.
16.      Copy all three files in the “c:ssl” directory (.pfx, .crt and .key) to C:\Program Data\VMware\VMware\VirtualCenter\SSL.
17.      Browse to the vCenter server URL, at http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
18.      Log in with an administrative account.
19.      On the web page, under Methods, click reloadSslCertificate
20.      On the pop-up window, click Invoke Method
21.      From within Server Manager, expand Configuration and select Services.
22.      Restart the vCenter Management Webservices service.
23.      Open Internet Explorer and browse to https://vcentername/.  Click the lock icon to the right of the address bar, verify that the security info displayed matches the certificate that was installed.
24.      You’re done!

VMware Doc - http://www.vmware.com/files/pdf/techpaper/vsp_41_vcserver_certificates.pdf
Author:Justin C

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

Teach the user how to delpoy the vCenter Server Appliance and how to configure its network settings Deploy OVF: Open VM console and configure networking:
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month