In this blog will walk you through SSL Certificate replacement of vCenter server 5.5 & Components.
Components in vCenter:
- Inventory Service
- vCenter Service
- Web Client Service
- Log Browser
- Update Manager
Required SSL files for replacing the existing certificate:
- CSR – Certificate request, required for generating certificate from Certificate Authority.
- KEY – Private Key generated with CSR
- CRT – File generated from Certificate Authority
- PEM – Includes entire chain of Certificate
Steps to Update SSL Certificate:
- Download SSL Automation Tool from https://my.vmware.com/web/vmware/details?downloadGroup=SSLTOOL550&productId=353
- Edit ssl-environments.bat file in SSL automation tool
- Generate CSR for required components in vCenter Server
- Generate certificate from Internal CA or any 3rd party CA
- Create PEM files from generated certificate
- Update certificate and trust between components
Editing ssl-environment.bat file:
Update values in “The following parameters will be used to generate a CSR.”
Fill in the below fields
leave ‘gen_cert_organizational_unit_name’ blank
Save the file
Steps for Generating Certificate Request (CSR):
Open Command prompt as administrator
Navigate to SSL Automation Tool folder
Select option 2 for generating CSR’s
Select Option 1 for generating certificate request for SSO service
Note : Tool will pick values from ssl-environment.bat file as updated earlier
Select option 2 for generating certificate request for Inventory Service
Select option 3 for vCenter Server service
Select option 5 for vSphere Web Client service
After generating the CSR’s for required services, copy request CSR’s to c:\cert-request folder
Generating Certificate from Internal CA:
Open browser and access https://yourcaurl/certsrv
Click on Submit an “advanced certificate request”
Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the CSR file in Notepad / any Text editor and paste contents to Saved Request box.
Select certificate template as vSphere 6.0 (User this KB for creating Microsoft CA Template: KB2062108 ) & Click on Submit.
Select Base-64 encoded & click on Download certificate
Save this certificate as rui.crt inside the respective folder
Repeat the same steps for all services and save .crt file for all services.
Generating Root Certificate:
Navigate to the Internal CA https://yourcaurl/certsrv
Click on “Download a CA Certificate, Certificate chain or CRL”
Select Base 64 and Click on Download CA certificate Chain
Save the certificate in local system as rootchain.p7b
Open the rootchain.p7b by double clicking on the file or Right-click and select open
Navigate to Certificates & select the certificate listed on right side of the window
Right-Click on the certificate listed and click on All Tasks & select Export
Click on Next
Select Base-64 encoded x.509(.CER) & click on Next
Browse the location for saving the root certificate
Save the certificate as root64.cer
Click on Next and then Finish.
Note: If you have Subordinate CA please follow the same steps as mentioned above and export to the same location.
Copy all generated certificates to vCenter Server.
We need PEM file for updating the certificate for vCenter services. Each services should have PEM file. Please run the below command to create PEM files.
copy /B rui.crt + C:\VMware\root64.cer chain.pem
If you have subordinate/intermediate certificate please use below command
copy /B rui.crt + C:\VMware\InterRoot.cer + C:\VMware\root64.cer chain.pem
Update SSL-environment.bat file with generated certificate path:
Specify the SSO User name and VC username:
If you need to change the default Backup & Log folder, please update the new path
Updating the Certificate and Trust for service:
Open CMD in “Run as Administrator” mode
Change Directory to Certificate Updater tool directory
Type 1 for ‘Plan Your steps to Update SSL Certificate”
Select the services you wish to update
Copy the steps displayed to a notepad
Follow the each steps and update the certificate as well as trust between the services.
Once completed Verify the newly updated certificate using Webclient.
Hope you find this useful.