Replacing VMware vCenter SSL Certificates

Replacing VMware vCenter SSL Certificates

piotr_halas_padlock  Congratulations, if you’ve made it this far, you’re almost done with the replacing of your VMware SSL Certificates!  If you’ve followed the previous posts, you’ll know that this has been a long path to completing your goal.  This post finishes installing those certificates on your vCenter server.  If you missed a part please check out the previous posts to get caught up.

Create a Home Lab Certificate Authority

Deploy Root Certificates via Autoenrollment

Create VMware-SSL Web Certificate Template

Create VMware Services Certificate Requests 

 

Install SSL Certificates

Open up the VMware SSL Automation Tool and now we can go about deploying those SSL Certificates.   We’ve already completed 1 and 2, so now we need to refer to the planning steps from part 1.  If you can’t remember what they are, you can re-run option 1, but be sure to copy it to notepad or something so you can keep track of where you are at.

SSLTool2

 

 

Follow the instructions for your planning steps.  This should guide you through each of the phases.

NOTE:  Many of the operations you’ll perform here will stop and start VMware services.  You should be prepared for this in case the server is currently being access.  This will not affect any of your virtual machines, but may stop you from accessing vCenter, VUM, vCO etc.

 

Troubleshooting

If you are having trouble with the update proces, be sure to check to see if you are updating according to the plan.  The plan may have you update a service, then update another service and then go back to the first service to register it with some other service.  Follow the instructions.

Secondly, be sure that your cachain.pem files are located in the same folder as your rui.csr files etc.  This is the directory that the tool is looking to find the certificates.

Thirdly, be sure that when you downloaded the certificates from your CA, you grabbed only the certificate and not the chain.  See this post for additional information.

Lastly, be sure that you copied the Root64.cer file to the end of your rui.crt file, renamed it to cachain.pem and that there is no space between the two certificates.

SSL-NoSpace

 

 

Summary

This has been a long process, but hopefully valuable.  SSL Certificates are something that shouldn’t be overlooked for an design since an untrusted certificate could mean that your environment has been compromised.  It’s not a chance many corporations would want to take and hopefully the steps in this series have given you a good idea about how to replace SSL certificates for your VMware environment.

4 Responses to Replacing VMware vCenter SSL Certificates

  1. Great write-up. When I try to update the inventory cert I get an error at the end “openssl cannot generate inventory service rui.pfx -errorlevel 1

    I have checked the chain.pem contents and everything looks the same as the SSO folder which updated perfectly fine.

  2. I’m not sure exactly what the error is, but maybe run through the creation of the csr and re-request those certificates just for the inventory service? Be sure to not use any spaces in the names as I’ve heard that could cause issues.
    If you’re looking for more troubleshooting steps check out the vSphere documentation on how to do this process manually which will show you all the stops the automation tool has hidden. http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.solutions.doc_50%2FGUID-404ACD2C-0F3E-4047-9502-2668826537A6.html

  3. i had same problem… the root cert in chain.pem was wrong format.. to correct don’t paste the contents of the cachain.7pb file into the chain.pem file.. instead

    Double-click the cachain.p7b file and navigate to C:certscachain.p7b > Certificates.
    Right-click the certificate listed and click All Actions > Export.
    Click Next.
    Select Base-64 encoded X.509 (.CER), and then click Next.
    Save the export to C:certsRoot64.cer and click Next.

    when building the chain.pem use the contents of the root64.cer and the error will be gone.

    the the following command to build the chain.pem
    “type rui,crt root64.cer > chain.pem”
    or cut and paste if you prefer

  4. Hi Oli,
    did you solve this. I see the exact same issue while trying to replace certificates with MS CA certificates

    [.] The supplied certificate chain is valid.

    [04-11-2014 – 11:45:34,77]: Last operation update Inventory Service SSL certificate failed :
    [04-11-2014 – 11:45:34,77]: openssl.exe Cannot generate Inventory Service rui.pfx – errorlevel is 1

Leave a reply