I’ve seen quite a few VMware environments where when you login, you get that silly error message about a certificate not being trusted.  This is something we can fix and more importantly be sure that the connections are trusted and encrypted.

Prerequisites

• Trusted root certificates deployed to workstations – Instructions for Lab Environment
• Web-Certificate Template Deployed – Instructions for Lab Environment
• Certificate Authority Web Enrollment server  –  (If you followed the Lab Environment setup this should be on your CA already)
• Download OpenSSL and install it.  I used 1.01h as the version for my lab which worked fine on a Server 2012 R2 Server which is also my vCenter Server.
• Download and install the vCenter Certificate Automation Tool from VMware.  This is also found in the vCenter install media for vSphere 5.5.

I prefer to create my certificate requests right from the VMware vCenter Server, so I install both the SSL Automation Tool and OpenSSL directly on the vCenter Server.  If you’re using the VMware vCenter Server Appliance you’ll need to do this someplace else and there are some additional steps not listed in this post.  Please see this KB article for more info:  vCSA SSL Certs

Running the Certificate Automation Tool

You can run the SSL-Updater tool by double clicking the batch file in the directory where you unzipped the tools.  Look for ssl-updater.bat.  Note:  it might be useful to run this as Administrator if UAC is on.

When you run the SSL Tool, you’ll get a menu with options.  To begin with you should select option 1.  This option will explain the steps that need to be done and the order in which to do them.

When you select option 1, you’ll be presented with a new menu.  This menu asks what you’re going to update.  If you are going to do all of the services listed, look for option 8.  You can see from the screenshot that the steps will be listed.  You should copy that list to a text file or something to recall it later.

Assuming you didn’t copy the list, and that the tool isn’t modified too much, you can use the list below.

1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.

2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.

3. Go to the machine with Inventory Service installed and – Update the Inventory Service SSL certificate.

4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.

5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.

6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.

7. Go to the machine with Inventory Service installed and – Update the Inventory Service trust to vCenter Server.

8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to Single Sign-On.

9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Orchestrator trust to vCenter Server.

10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.

11. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Single Sign-On.

12. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Inventory Service.

13. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to vCenter Server.

14. Go to the machine with vSphere Web Client installed and – Update the vSphere Web Client SSL certificate.

15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.

16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.

17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.

18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server.

Create the Requests

From the Automation Tool, we can now select option 2 which is the generate certificate signing requests.  From here, we’ll need to select the service that we are creating a request for.  No, you can’ t do them all at once

Select the service, and answer the questions.  You’ll need to know things like IP Addresses, DNS Names, Locations and a file location to export the requests and private keys.

When the process is done, you’ll see three files in the file location you specified.  Next, repeat this process for the rest of the services that you want to sign.

Once these files have been created, you can take the certificate signing requests and upload them to the Certificate Authority to obtain the certificate.  You should be able to do this by going to https://NAMEOFCA/certsrv/default.asp assuming you followed the prior posts about setting up a Certificate Authority for your home lab.

Once here, choose “Request a Certificate”.

Choose “Advanced Certificate Request”.

Choose the base-64-encoded option.

Now you need to take the rui.csr file and copy the entire contents into the web page request box.  Choose the VMware-SSL certificate template (or any other Web Template you have created).

Choose the Base64 encoded option and then click the “Download Certificate”.

Save the file as rui.crt in the same directory as where the request came from.  This needs to be the same one that the Automation Tool created them in for the later steps to work correctly.  Once this is done, repeat the process for each of the services you are going to request SSL certificates for.

Once you’ve requested all of the certificates, go back to the default CA page and click the “Download a CA certificate, certificate chain, or CRL” link.

Here we will download the RootCA.  Choose Base64 and select the appropriate CA Certificate from the list.  Then click “Download CA certificate chain” link.

Now, save this file as “cachain.p7b” and I usually do this in the parent directory of the services I’m requesting.  I don’t think this one matters too much.

Once exported, you need to open the cachain.p7b file, and export it.

Export the file.

When prompted, select the Base-64 encoded X.509 (.CER) option.

Save the file as Root64.cer

Now we need to open the rui.crt files for each of the services that we now have certificates for and paste the contents of the Root64.cer certificate to the end of the file.  From the screenshot below, you can see my SSO Service rui.crt file has the Root64.cer file appended to the end.

Save the file as chain.pem in the service folder.  Don’t forget to do this same thing for each of the services you’ve requested.

Summary

Whew!  I know there are quite a few steps here, but I assure you that the hard parts are over.  In the next post, we’ll show you how to replace the default certificates in vCenter with the new certificates that you’ve created.  We’re almost there.