Profile

  vcapdcalogo  VCAP - DCD

vmw-vcp_logo_260x40

vmw-vexpert_logo_223x40

 

View Rynardt Spies's profile on LinkedIn

Search

Technical Guides

Twitter Updates

User Rating: 5 / 5

Star activeStar activeStar activeStar activeStar active
 

This article forms part of the Replacing vSphere SSL Certificates series.

Before continuing with the steps in this article, please ensure that you have followed the following steps required to generate and sign a new SSL Certificate for vCenter Server:

  1. Prepare the Certificate Authority Server with IIS, OpenSSL and Microsoft Certificate Services
  2. Create a Certificate Request using OpenSSL on Windows
  3. Submit the Certificate Request to the Microsoft Certificate Services CA
  4. Create a new PFX-Formatted Certificate

Ok, so we have now self signed our own SSL Certificate for the vCenter Server. Let's first look at the steps that we need to take in order to replace the SSL Certificate for the vCenter Server.

The procedure for replacing the SSL Certificates for VMware vCenter Server involves:

  1. Disconnect all ESH hosts that are being managed by the vCenter Server
  2. Stop the vCenter Server services
  3. Create a backup of the existing SSL Certificate files
  4. Replace the Existing SSL Certificate files with the new SSL Certificate files
  5. Reset the VMware vCenter Database Password
  6. Start the VMware vCenter Services
  7. Reconnect all ESX hosts managed by the vCenter Server

Ok, let's begin:

Disconnect all ESX hosts managed by the vCenter Server

In order to replace the SSL Certificates for a vCenter Server, all ESX hosts that are managed by that vCenter Server need to be disconnected from the vCenter Server.

Important: If multiple vCenter Servers are configured as Linked-Mode, it is only necessary to disconnect the ESX hosts that are being managed by the vCenter Server that is currently having its SSL Certificates replaced. There is no need to disconnect ESX hosts that are managed by other vCenter Servers in the Link-Mode configuration. There is also no need to break the Linked-Mode configuration between the vCenter Servers. I have also seen posts on the community forums that suggest that you shut down all VMs running on all ESX hosts managed by the vCenter Server. This statement is not correct. There is no need to evacuate VMs from any ESX hosts.

Open the vSphere client and connect to the vCenter Serrver. Make sure that the "Hosts and Clusters" view is selected. Right click on each ESX host in turn and click "Disconnect".

vcenter_01_esx_disconnect

Stop the vCenter Server Services

Before we can replace the SSL Certificates we need to first stop the vCenter Server Serivices.

Open the Services Management Console (Start -> Run -> services.msc -> OK

vcenter_02_run_services_01t

The Services Management Console Opens. Scroll down and locate the following two services:

  • VMware VirtualCenter Management Webservices
  • VMware VirtualCenter Server

vcenter_03_services_list_01

Right-click on the "VMware VirtualCenter Server " service and click "Stop"

 vcenter_04_services_stop_01

A message will appear stating that when the VMware VirtualCenter Server stops, the VMware VirtualCenter Webservices service will also be stopped. Acknowledge the message by clicking “Yes”

 vcenter_05_services_stop_02

Create a backup of the existing SSL Certificate files

Using Windows Explorer, browse to the following location on the vCenter Server:

C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

The directory will contain the following three files:

  • rui.crt
  • rui.key
  • rui.pfx

Create a new folder called "Backup". Once the folder has been created, move the rui.crt, rui.key, rui.pfx files into the Backup folder.

vcenter_06_sslfiles_01

Copy the new SSL files from the OpenSSL-Win32\Bin folder on the Certificate Authority Server to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\

vcenter_07_sslfiles_02

As the VMware vCenter database password has been encrypted using the original SSL Certificate when vCenter was installed, the vCenter Server Service will not be able to use the new SSL Certificate in order to decrypt the stored password. We therefore need to reset the vCenter database password and encrypt the password using the new SSL Certificate.

Open a new command prompt window and browse to the Program Files directory where VMware vCenter Server is installed. In the example below, vCenter Server is installed  on a 64-bit operating system and is therefore installed at “D:\Program Files (x86)\VMware\Infrastructure\VirtualCenter Server\”, however the default installation path for vCenter Server when installed on a 32-bit operating system is “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\

To reset the password, type: “vpxd.exe –p” and press <Enter>. When prompted to enter a new DB password, enter a new password for the vCenter Database and press <Enter>. Enter the password again to verify the entry and press <Enter>. Confirm that “Reset DB password succeeded” is displayed.

vcenter_08_vpxd_passreset_01

vcenter_089_vpxd_passreset_02

Go back to the Services Management Console and find the following two services:

  • VMware VirtualCenter Management Webservices
  • VMware VirtualCenter Server

Right-click on the "VMware VirtualCenter Server" service and click "Start"

vcenter_10_services_start_01

Once the VMware VirtualCenter Server service has started, right-click on the VMware VirtualCenter Management Webservices and click "Start".

vcenter_11_services_start_02

Once the steps above have been followed, the VMware vCenter Server will be using the new SSL certificates. Please bear in mind that the SSL certificate was signed for a specific host based on the host's FQDN. Therfore in order to avoid being presented with a  SSL certificate warning, the FQDN of the vCenter server should now be used when loggin into vCenter with the vSphere client.

Leave your comments

Post comment as a guest

0
  • No comments found