SSL Certificate replacement of vCenter server 5.5

In this blog will walk you through SSL Certificate replacement of vCenter server 5.5 & Components.

Components in vCenter:

  1. SSO
  2. Inventory Service
  3. vCenter Service
  4. Web Client Service
  5. Log Browser
  6. Orchestrator
  7. Update Manager

Required SSL files for replacing the existing certificate:

  1. CSR – Certificate request, required for generating certificate from Certificate Authority.
  2. KEY – Private Key generated with CSR
  3. CRT – File generated from Certificate Authority
  4. PEM – Includes entire chain of Certificate

Steps to Update SSL Certificate:

  1. Download SSL Automation Tool from https://my.vmware.com/web/vmware/details?downloadGroup=SSLTOOL550&productId=353
  2. Edit ssl-environments.bat file in SSL automation tool
  3. Generate CSR for required components in vCenter Server
  4. Generate certificate from Internal CA or any 3rd party CA
  5. Create PEM files from generated certificate
  6. Update certificate and trust between components

Editing ssl-environment.bat file:

Update values in “The following parameters will be used to generate a CSR.”
Fill in the below fields
################
set gen_cert_server_fqdn=
set gen_cert_server_ip=
set gen_cert_server_short_name=
set gen_cert_country=
set gen_cert_state=
set gen_cert_locality_name=
set gen_cert_organization_name=
################
leave ‘gen_cert_organizational_unit_name’ blank
Save the file

Steps for Generating Certificate Request (CSR):

Open Command prompt as administrator

Navigate to SSL Automation Tool folder

Run ssl-updater.bat

Generate Request

Select option 2 for generating CSR’s

Generate CSR - 2

Select Option 1 for generating certificate request for SSO service

SSO

Note : Tool will pick values from ssl-environment.bat file as updated earlier

Select option 2 for generating certificate request for Inventory Service

IS Service

Select option 3 for vCenter Server service

VC

Select option 5 for vSphere Web Client service

SSL Certificate Replacement

After generating the CSR’s for required services, copy request CSR’s to c:\cert-request folder

Generating Certificate from Internal CA:

Open browser and access https://yourcaurl/certsrv

SSL Certificate Replacement
Click on “Request a certificate”

SSL Certificate

Click on Submit an “advanced certificate request”

SSL Certificate

Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Cert-4

Open the CSR file in Notepad / any Text editor and paste contents to Saved Request box.

Select certificate template as vSphere 6.0 (User this KB for creating Microsoft CA Template: KB2062108 ) & Click on Submit.

vSphere Certificate

Select Base-64 encoded & click on Download certificate

Save this certificate as rui.crt inside the respective folder

Repeat the same steps for all services and save .crt file for all services.

Generating Root Certificate:

Navigate to the Internal CA https://yourcaurl/certsrv

cert-7

Click on “Download a CA Certificate, Certificate chain or CRL”

vSphere Certificate

Select Base 64 and Click on Download CA certificate Chain

Save the certificate in local system as rootchain.p7b

Open the rootchain.p7b by double clicking on the file or Right-click and select open

Navigate to Certificates & select the certificate listed on right side of the window

Right-Click on the certificate listed and click on All Tasks & select Export

vCenter Certificate

Click on Next

vCenter Certificate

Select Base-64 encoded x.509(.CER) & click on Next

vCenter Certificate

Browse the location for saving the root certificate

vCenter Certificate

Save the certificate as root64.cer

vCenter Certificate

Click on Next and then Finish.

vCenter Certificate

Note: If you have Subordinate CA please follow the same steps as mentioned above and export to the same location.

Copy all generated certificates to vCenter Server.

We need PEM file for updating the certificate for vCenter services. Each services should have PEM file. Please run the below command to create PEM files.

copy /B rui.crt + C:\VMware\root64.cer chain.pem

If you have subordinate/intermediate certificate please use below command

copy /B rui.crt + C:\VMware\InterRoot.cer + C:\VMware\root64.cer chain.pem

Update SSL-environment.bat file with generated certificate path:

set sso_cert_chain=C:\VMware\sso\chain.pem
set sso_private_key=C:\VMware\sso\rui.key
set sso_node_type=single
set is_cert_chain=C:\VMware\inventory\chain.pem
set is_private_key_new=C:\VMware\inventory\rui.key
set vc_cert_chain=C:\VMware\vCenter\chain.pem
set vc_private_key=C:\VMware\vCenter\rui.key
set ngc_cert_chain=C:\VMware\WebClient\chain.pem
set ngc_private_key=C:\VMware\WebClient\rui.key
set logbrowser_cert_chain=C:\VMware\LogBrowser\chain.pem
set logbrowser_private_key=C:\VMware\LogBrowser\rui.key
set vco_cert_chain=C:\VMware\Orchestrator\chain.pem
set vco_private_key=C:\VMware\Orchestrator\rui.key
set vum_cert_chain=C:\VMware\UpdateManager\chain.pem
set vum_private_key=C:\VMware\UpdateManager\rui.key

Specify the SSO User name and VC username:

set sso_admin_user=administrator@vsphere.local
set vc_username=administrator@vsphere.local

If you need to change the default Backup & Log folder, please update the new path

set ROLLBACK_BACKUP_FOLDER=
set LOGS_FOLDER=

Updating the Certificate and Trust for service:

Open CMD in “Run as Administrator” mode

Change Directory to Certificate Updater tool directory

Run ssl-updater.bat

Type 1 for ‘Plan Your steps to Update SSL Certificate”

Select the services you wish to update

Copy the steps displayed to a notepad

Follow the each steps and update the certificate as well as trust between the services.

Once completed Verify the newly updated certificate using Webclient.

Hope you find this useful.

One Response

  1. Tristan
    Tristan at |

    Thank you, this guide was perfect.
    I just struggled when replacing the vCenter Server SSL certificate, as the tool request this : “Enter the vCenter Server original database password”.

    For anyone struggling here too, you have to enter the password of the user for the SQL database connection (ODBC System DSN Password)

    Reply

Leave a Reply