Replacing vCenter Server Appliance SSL certificates

vCenter and SSL is always a pain. Simple thing as replacing default self-signed SSL certificates with CA signed has in official VMWare KB2057223 40(!!!) steps.

There are many blog posts and automation scripts about this procedure and often they contains much more steps. They, like official VMware KB, are generating and signing certificate for each individual vcenter component. From vmware KB:

This means that four different certificates are required for each vCenter Server Appliance:
•vCenter Server / vCenter Single Sign-On (SSO)
•vCenter Inventory Service
•VMware Log Browser
•vSphere AutoDeploy

Hell why? They ARE NOT required! You don’t need seperate ssl certificate for each compoment and vCenter is happy and working with one – common ssl certicate.

To generare ssl certificate for vcenter follow this simple steps on vcenter appliance:

1. We will be working in root home directory, so

cd /root

2. Generate certificate request (csr) with customized openssl.conf, create it:

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter01, IP:10.0.0.1, DNS:vcenter01.company.local (change this)

[ req_distinguished_name ]
countryName = SK (change this)
stateOrProvinceName = Slovakia (change this)
localityName = Bratislava (change this)
0.organizationName = Example, spol. s r.o. (change this)
organizationalUnitName = VMware vCenter Service Certificate
commonName = vcenter01.company.local (change this)

3. Now generate certificate request (csr) file:

openssl req -new -nodes -out rui_service.csr -keyout rui_service.key -config openssl.conf

Now you need to sign this request.

4. If you are using Microsoft Active Directory based CA, sign certificate and download it in base64 encoded format with full chain. Save it as rui_service.p7b. If you are using different CA, use it to sign you csr. Next command is for conversion p7b file, obtained from MS AD CA.

openssl pkcs7 -print_certs -in rui_service.p7b -out rui_service.crt

This seems to be stupid, but using file editor delete junk between first —–BEGIN CERTIFICATE—– and after —–END CERTIFICATE—– in rui_service.crt. Now you rui_service.crt contains certificate with full trush path.

5. Check – In this step your file rui_service.crt should contain multiple certificates (full trust path). This means vcenter server certificate is first, intermediate certificate(s) if any, and CA certificate at the end. If your CA provides you just certificate in crt file, intermediate certificate and CA certificates in seperate files, just copy&pate them in corret order to the end of rui_service.crt. It should look like this example.

6. Generate pfx file (yes, password must be testpassword)

openssl pkcs12 -export -out rui.pfx -in rui_service.crt -inkey rui_service.key -name rui -passout pass:testpassword

Now you have all required certificates!

7. Replace certifices with new one. You need to know vcenter Single Sign On (SSO) Admin password.
This script will replace certificates and restart services. It is good idea to take snapshot before running it:

SSO_PASSWORD="password here"

service vmware-stsd stop
service vmware-vpxd stop
/usr/sbin/vpxd_servicecfg certificate change rui_service.crt rui_service.key
service vmware-stsd start
service vmware-vpxd start
cd /usr/lib/vmware-vpx/inventoryservice/ssl
cp /root/rui_service.crt rui.crt
cp /root/rui_service.key rui.key
cp /root/rui.pfx rui.pfx
chmod 400 rui.key rui.pfx
chmod 644 rui.crt

cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode uninstall --ls-server https://$(hostname):7444/lookupservice/sdk
./02-inventoryservice --mode install --ls-server https://$(hostname):7444/lookupservice/sdk --user "administrator@vsphere.local" --password "$SSO_PASSWORD"
rm /var/vmware/vpxd/inventoryservice_registered

service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start
service vsphere-client restart

cd /usr/lib/vmware-logbrowser/conf
cp /root/rui_service.crt rui.crt
cp /root/rui_service.key rui.key
cp /root/rui.pfx rui.pfx

cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode uninstall --ls-server https://$(hostname):7444/lookupservice/sdk
./09-vmware-logbrowser --mode install --ls-server https://$(hostname):7444/lookupservice/sdk --user "administrator@vsphere.local" --password "$SSO_PASSWORD"

8. Done in 8 steps and 15 minutes!

One thought on “Replacing vCenter Server Appliance SSL certificates

  1. Hi,
    On this step I got return code is not privileged, does this matter ?
    service vmware-inventoryservice stop
    service vmware-vpxd stop
    service vmware-inventoryservice start
    service vmware-vpxd start ——————– (return code is not privileged)
    service vsphere-client restart

    Also, when I get to this step the vmware-logbrowser does not exist any ideas ?
    cd /usr/lib/vmware-logbrowser/conf

    I am using vCenter 5.5

    thanks,

    John

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>