In this blog will walk you through SSL Certificate replacement of vCenter server 5.5 & Components.
Components in vCenter:
- SSO
- Inventory Service
- vCenter Service
- Web Client Service
- Log Browser
- Orchestrator
- Update Manager
Required SSL files for replacing the existing certificate:
- CSR – Certificate request, required for generating certificate from Certificate Authority.
- KEY – Private Key generated with CSR
- CRT – File generated from Certificate Authority
- PEM – Includes entire chain of Certificate
Steps to Update SSL Certificate:
- Download SSL Automation Tool from https://my.vmware.com/web/vmware/details?downloadGroup=SSLTOOL550&productId=353
- Edit ssl-environments.bat file in SSL automation tool
- Generate CSR for required components in vCenter Server
- Generate certificate from Internal CA or any 3rd party CA
- Create PEM files from generated certificate
- Update certificate and trust between components
Editing ssl-environment.bat file:
Update values in “The following parameters will be used to generate a CSR.”
Fill in the below fields
################
set gen_cert_server_fqdn=
set gen_cert_server_ip=
set gen_cert_server_short_name=
set gen_cert_country=
set gen_cert_state=
set gen_cert_locality_name=
set gen_cert_organization_name=
################
leave ‘gen_cert_organizational_unit_name’ blank
Save the file
Steps for Generating Certificate Request (CSR):
Open Command prompt as administrator
Navigate to SSL Automation Tool folder
Run ssl-updater.bat
Select option 2 for generating CSR’s
Select Option 1 for generating certificate request for SSO service
Note : Tool will pick values from ssl-environment.bat file as updated earlier
Select option 2 for generating certificate request for Inventory Service
Select option 3 for vCenter Server service
Select option 5 for vSphere Web Client service
After generating the CSR’s for required services, copy request CSR’s to c:\cert-request folder
Generating Certificate from Internal CA:
Open browser and access https://yourcaurl/certsrv
Click on “Request a certificate”
Click on Submit an “advanced certificate request”
Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the CSR file in Notepad / any Text editor and paste contents to Saved Request box.
Select certificate template as vSphere 6.0 (User this KB for creating Microsoft CA Template: KB2062108 ) & Click on Submit.
Select Base-64 encoded & click on Download certificate
Save this certificate as rui.crt inside the respective folder
Repeat the same steps for all services and save .crt file for all services.
Generating Root Certificate:
Navigate to the Internal CA https://yourcaurl/certsrv
Click on “Download a CA Certificate, Certificate chain or CRL”
Select Base 64 and Click on Download CA certificate Chain
Save the certificate in local system as rootchain.p7b
Open the rootchain.p7b by double clicking on the file or Right-click and select open
Navigate to Certificates & select the certificate listed on right side of the window
Right-Click on the certificate listed and click on All Tasks & select Export
Click on Next
Select Base-64 encoded x.509(.CER) & click on Next
Browse the location for saving the root certificate
Save the certificate as root64.cer
Click on Next and then Finish.
Note: If you have Subordinate CA please follow the same steps as mentioned above and export to the same location.
Copy all generated certificates to vCenter Server.
We need PEM file for updating the certificate for vCenter services. Each services should have PEM file. Please run the below command to create PEM files.
copy /B rui.crt + C:\VMware\root64.cer chain.pem
If you have subordinate/intermediate certificate please use below command
copy /B rui.crt + C:\VMware\InterRoot.cer + C:\VMware\root64.cer chain.pem
Update SSL-environment.bat file with generated certificate path:
set sso_cert_chain=C:\VMware\sso\chain.pem
set sso_private_key=C:\VMware\sso\rui.key
set sso_node_type=single
set is_cert_chain=C:\VMware\inventory\chain.pem
set is_private_key_new=C:\VMware\inventory\rui.key
set vc_cert_chain=C:\VMware\vCenter\chain.pem
set vc_private_key=C:\VMware\vCenter\rui.key
set ngc_cert_chain=C:\VMware\WebClient\chain.pem
set ngc_private_key=C:\VMware\WebClient\rui.key
set logbrowser_cert_chain=C:\VMware\LogBrowser\chain.pem
set logbrowser_private_key=C:\VMware\LogBrowser\rui.key
set vco_cert_chain=C:\VMware\Orchestrator\chain.pem
set vco_private_key=C:\VMware\Orchestrator\rui.key
set vum_cert_chain=C:\VMware\UpdateManager\chain.pem
set vum_private_key=C:\VMware\UpdateManager\rui.key
Specify the SSO User name and VC username:
set sso_admin_user=administrator@vsphere.local
set vc_username=administrator@vsphere.local
If you need to change the default Backup & Log folder, please update the new path
set ROLLBACK_BACKUP_FOLDER=
set LOGS_FOLDER=
Updating the Certificate and Trust for service:
Open CMD in “Run as Administrator” mode
Change Directory to Certificate Updater tool directory
Run ssl-updater.bat
Type 1 for ‘Plan Your steps to Update SSL Certificate”
Select the services you wish to update
Copy the steps displayed to a notepad
Follow the each steps and update the certificate as well as trust between the services.
Once completed Verify the newly updated certificate using Webclient.
Hope you find this useful.
Thank you, this guide was perfect.
I just struggled when replacing the vCenter Server SSL certificate, as the tool request this : “Enter the vCenter Server original database password”.
For anyone struggling here too, you have to enter the password of the user for the SQL database connection (ODBC System DSN Password)
HI
this is a good Guide. But in my Case, i have a Third Party .pem .cer .crt and .key
I dont know how i can handle this. The SSL Updater Tool brings me errors.
Regards
Hi Chris,
Even 3rd Party CA certificates should not be an issue. Please follow the below KB for Generating the CSR and Certificate.
https://kb.vmware.com/s/article/2034833?lang=en_US
Regards,
Manjunath M