Replace vCenter 4.1 default SSL certificate with a trusted certificate.

Justin CAWS Solutions & Security Architect
AWS solutions and security architect with a strong background in VMware and security compliance.
vSphere 4.1 includes a self-signed SSL certificate upon installation.  In some situations, especially in larger environments with an existing PKI infrastructure, you may need to replace this with a valid SSL certificate for your environment.  VMware published a document (linked below) on doing this, however it can be a little confusing and I had to do some extra googling to figure out/understand the entire process, so I’ve broken it down into (hopefully) easy to follow steps.  These steps assume you have an existing vCenter instance in place and the file paths are valid for Server 2008 R2 (if you’re using Server 2003 adjust accordingly).  I hope someone finds this useful!

1.      Obtain openssl from the and copy it to the vCenter host.
2.      Install openssl using all defaults.  
3.      Create a directory on the C: drive named “ssl”.
4.      Browse to C:\Users\All Users\VMware\VMware VirtualCenter\SSL
5.      Copy the rui.key file to C:\ssl
6.      Open a command prompt by clicking Start, right-clicking on the Command Line icon and selecting Run as administrator.
7.      Click Yes when prompted.
8.      Change directories to C:\ssl (cd c:\ssl)
9.      Use openssl to create a certificate signing request for the vCenter host, as indicated here (note the keylength is 2048-bits, your environment may require something different):

c:\openssl-win64\bin\opens sl.exe req -newkey rsa:2048 -keyout rui.key -nodes -days 3650

10.      Enter the Country, State, locality, organization, Organizational Unit, and FQDN of the vCenter server for the Common Name. Leave the Email Address blank, or fill it in depending on your local certificate process.
11.      Copy the generated certificate request and paste it into a new file named rui.csr.
12.      The rui.csr file is your certificate request and should be submitted to your local CA.  At this point, follow your local procedures for submitting a certificate request as they will vary depending upon company policies and the type of CA your environment employs.  
13.      Once the request is approved and your certificate is generated, copy the “Base 64 encoded certificate” certificate data and paste it into a new file in the “c:\ssl” directory named rui.crt.  Make sure to delete any trailing spaces at the bottom of the file, notepad likes to add those sometimes.
14.      Run the following command to generate the PKCS formatted file needed by vCenter:

c:\openssl-win64\bin\opens sl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword –out rui.pfx

NOTE: You must use “pass:testpassword” as the option for the “passout” option as this is hardcoded into the Tomcat instance used by vCenter.  Changing this password requires modifying Tomcat configuration files and is not recommended.  

15.      Browse to C:\Program Data\VMware\VMware\Virtual Center\SSL , move the three files in the directory to C:\Program Data\VMware\VMware\Virtual Center\Bac kup.
16.      Copy all three files in the “c:ssl” directory (.pfx, .crt and .key) to C:\Program Data\VMware\VMware\Virtual Center\SSL .
17.      Browse to the vCenter server URL, at http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
18.      Log in with an administrative account.
19.      On the web page, under Methods, click reloadSslCertificate
20.      On the pop-up window, click Invoke Method
21.      From within Server Manager, expand Configuration and select Services.
22.      Restart the vCenter Management Webservices service.
23.      Open Internet Explorer and browse to https://vcentername/.  Click the lock icon to the right of the address bar, verify that the security info displayed matches the certificate that was installed.
24.      You’re done!

VMware Doc -
Justin CAWS Solutions & Security Architect
AWS solutions and security architect with a strong background in VMware and security compliance.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.