Skip navigation

According to DCA blue print, you need to use CA certificate to replace both ESX and vCenter.

I follow this help document to setup certificate for vCenter and ESX. I do encounter quite bit tricks which I took hours working on resolving issues. I would like to share it with everyone so you can save your time.

First of all, download and install correct version of Openssl and VC++.

You can find those applications at here.

I did my test in Windows 2008 R2 SP1 server. I ran into issue with 64bit of Openssl with 32bit, I have no issue. So Please make sure you install the right version.

 

All what you need to do is to go to command window and run command as vmware suggest.

ca_01

This is the first problem I encounter. I was looking for openssl.cnf all over the place.

Actually, this is windows version. so there is no cnf. It’s openssl.cfg in the bin folder.

so what you need to do is to use this command.

ca_02

All right. Finally,  we got request file rui.csr. It’s time to use your AD CA to generate cer file. All what you need to do is to login in your CA with valid credential (you may want to login in with Enterprise Admin instead of domain admin depends on how you setup domain).

Launch IE and type http://localhost/certsrv

Click Request Certificate

Click Advanced Certificate request

Click Submit a certificate request by using a base 64 encoded….

then, you rui.crt which you generated before with notepad and paste all content

ca_03

Make sure it’s for web server, then, submit.

Once you submit, you need to click Base 64 encoded and click download certificate

ca_04

Save the file and rename it as rui.crt

and copy it to c:\openssl\bin folder

run this command to generate certificate.

ca_05

Once it’s done, you should have 4 files.

rui.crt

rui.csr

rui.key

rui.pfx

Upload files to ESX(i) server

This is a tricky thing to do. The best way I found to do this job is:

Use winscp to upload to vMA (/home/vi-admin)

connect vMA to host

Use vifp command to replace host server ssl_cert and ssl_key

ca_06

 ca_07

Check your certificate file before you start

This is very important step. For some reason, when you use vifp to upload file, it actually modify file a little bit. It happens on ESXi 4.1U1.

so you need to go to /etc/vmware/ssl and open rui.crt file.

If you see following file like this.

ca_08

That is wrong. There should be any “^M” in the crt. so you need to manually remove those characters.

Otherwise, you may see this error if you tail vpxa.log (/var/log/vmware/vpx)ca_09

You can run following command to get rid of ^M.

tr -d ‘\r’ < /etc/vmware/ssl/rui.crt > /etc/vmware/ssl/rui-fixed.crt

mv /etc/vmware/ssl/rui-fixed.crt /etc/vmware/ssl/rui.crt

Restart vpxa agent.

for ESX(i), you need to go to DCUI and restart agent

for ESX, you need to run service vmware-vpxa restart

vCenter configuration:

You need to add root certificate on vCenter and vClient.

You need to remove host and re-add host back to vCenter

You shouldn’t encounter any certificate question.

 

For vCenter:

After you generate rui.crt, just copy all files to

 ca_10

C:\ProgramData\VMware\VMware VirtualCenter\SSL

 

 

Reference:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023688

Advertisements

3 Comments

  1. What I dont really understand, is what happens in an environment with more than 100 hosts. Should I change the vCenters cert first or the hosts? If I change it on the vCenter first, will the connection to all host interrupt? If not, may I still put hosts in maintenance mode and replace their certs one after another? If I reset the vpxd password, will the DB connectivity interrupt? How can I avoid any outage of hosts? Is it better in vSphere 5?

    • You’ll need to disconnect and reconnect each host to the vCenter Server. What I found that seemed to work was to disconnect the host from the VCS, ssh into the host, edit the files in /etc/vmware/ssl with a new key and cert we generated elsewhere, then used the console to restart the management agents. After that, reconnect the vCenter Server. Repeat for each host.

  2. I would take caution before using this article with vCenter 5.x. What this article does not state is that unless you generate SEVERAL different sets of certs, one for each vCenter-related service (SSO, Web, etc.). Each service equates to running through this process over again, and each one is different.

    I highly suggest you read these two KB’s first before trying this:

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2035011

    http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2037432


4 Trackbacks/Pingbacks

  1. […] How to use CA certificate to replace VMware certificate on ESX(i) 4 and vCenter […]

  2. […] to the system with OpenSSL that was used to generate the CSR (Screenshots of this available here: How to use CA certificate to replace VMware certificate on ESX(i) 4 and vCenter or here: vSphere 5 Certificates – Replacing the Default vCenter 5 Server […]

  3. […] to the system with OpenSSL that was used to generate the CSR (Screenshots of this available here: How to use CA certificate to replace VMware certificate on ESX(i) 4 and vCenter or here: vSphere 5 Certificates – Replacing the Default vCenter 5 Server […]

  4. […] list my steps for generating the certificates. If you are looking for some more detail please see this blog post or this one.  See this blog post if you are using the Linux vCenter […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: