This is an update post to reflect the differences in vCenter 4.1 vs the older vCenter 25 install. The older post can be found here.
Certain third party products such as XenDesktop respect the expiration date on the vCenter SSL certificate. The vSphere Client doesn’t mind so much, nor it appears do the vSphere (ESX/ESXi — err vSphere Hypervisor) hosts, but when your VDIs suddenly can’t be reached, it’s a bad thing. I’m sure other products may have the same issue.
By default, vCenter will create a self-signed certificate issued to “VMware default certificate“. Unlike previous vCenter installs, the certificate is valid for 10 years, but still can cause problems for third parties that want to see the proper common name (e.g., FQDN of the vCenter server).
In our case, since we’re not publishing any SSL services to the public and already have a Microsoft Certificate Authority, we can create and sign our own vCenter certificate. And just like the newer version of vCenter, we’ll set it up for 10 years too.
This can be completed in just under 15 minutes if all the prerequisites are in place. Took me an hour (including this documentation).
Environment Summary
For this process to work, the following assumptions are made:
- Active Directory installed and Certificate Authority installed (in my case, it’s on a Windows 2008 Domain Controller with Certificate Authority and Certificate Authority Web Enrollment )
- DNS used for vCenter and internal FQDN name
- vCenter server part of the domain, Domain Admin access to it
- vCenter installed with local database (SQL Server 2005 Express) and using SYSTEM account – People commented on my previous related post about other steps required for database connectivity
- Using the included web services that comes with vCenter (IIS users on your own for this one)
To test, we’ll use a browser from a workstation and the XenDesktop DDC to validate connection (make sure the root CA certificate is added to the Trusted Roots for the Computer Account on each test and production server)
Prep vCenter
Since vCenter 4.1 now requires a 64-Bit Operating System (Server 2008 R2 Standard in my case), we’ll download the OpenSSL for Windows 64-Bit version.
Download OpenSSL for Windows (binary for the 64-bit version v1.0.0a is here) You may have to install the Visual C++ 2008 redistributable package first.
Verify the private key exists in: C:\Users\All Users\VMware\VMware VirtualCenter\SSL\rui.key (you will need to change permissions to allow your user account to access this directory and files)
Copy all the files in C:\Users\All Users\VMware\VMware VirtualCenter\SSL to a temporary location such as c:\temp\vcenter\oldssl (create if needed)
Open a command shell and go to c:\temp\vcenter\newssl (create if needed)
Generate the new RSA private key (2048 bit) and the certificate request (most important is that the common name must be the FQDN of the server). For the CSR, I normally use the common name value.csr, but since we’re working with rui.*, we’ll use that here too:
C:\temp\vcenter\newssl>c:\OpenSSL-Win64\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes -days 3650 -out rui.csr Loading 'screen' into random state - done Generating a 2048 bit RSA private key .............................+++ ......................................+++ writing new private key to 'rui.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Georgia Locality Name (eg, city) []:Cumming Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gavin Adams Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:vcenter.peanuts.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: C:\temp\vcenter\newssl>dir Volume in drive C has no label. Volume Serial Number is 204A-99B1 Directory of C:\temp\vcenter\newssl 04/16/2010 03:50 PM <DIR> . 04/16/2010 03:50 PM <DIR> .. 04/16/2010 03:50 PM 1,024 .rnd 04/16/2010 03:49 PM 1,675 privkey.pem 04/16/2010 03:50 PM 1,679 rui.key 04/16/2010 03:50 PM 1,005 rui.csr
From the vCenter system, browse to the certsrv URL for your Active Directory Certificate Authority (normally https://dcname/certsrv and probably will require a valid Active Directory user):
Select Request a certificate, advanced certificate request, and then Submit a certificate using base-64…. Past the entire contents of the rui.csr (open in Notepad, select all — it will be all on one line, but a CTRL-A CTRL-C will do fine) in the Saved Request box, select Web Server for Certificate template:
At this point the certificate will be signed. On the next page select Base 64 encoded then Download certificate and save as rui.crt in c:\temp\vcenter\newssl
From the private key and certificate, create the PFX fie:
C:\temp\vcenter\newssl>c:\OpenSSL-Win64\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Stop the following services:
VMware VirtualCenter Management Webservices
VMware VirtualCenter Server
Copy all the files in the newssl directory to : C:\Users\All Users\VMware\VMware VirtualCenter\SSL\ replacing the existing ones. Don’t worry, we backed these up.
Now restart the services in this order (unsure if it matters):
VMware VirtualCenter Server
VMware VirtualCenter Management Webservices
Use browser and navigate to the URL of the vCenter (e.g., https://vcenter.peanuts.local) and verify the certificate is valid. Open the vSphere client and verify all looks okay. After restarting the services, you will need to reconnect to the ESX / ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship needs to be established. Another reason for a longer term certificate!
Problems and Resolution
I’ll update the post with corrections, but with different configurations, we may run into different issues.
| Problem | Resolution |
| Web Service won’t restart with error One thing after this the webservice won’t start. in the log I found following error: vmware RSA_padding_check_PKCS1_type_2:block type is not 02 |
See VMware KB article: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003070
May require account password for database (assuming db other than SQL Server express) |
Tried these instructions on a vSphere 4.0 environment, running Server 2003 and neither of the services would start after replacing the default certificates – even after applying the fix at the bottom. Any ideas? Also, where is the log that will show what the error is? The windows application log is next to useless.
Sorry to hear about the problem. Hopefully you were able to revert back to the backed up certificate and restart the services. You can check …\VMware\Infrastructure\tomcat\logs for the web server log (assuming this is running under Tomcat).
My testing has only been with the local database running under the system account. How is your install configured? vCenter version, is it running under a VM, database setup details, etc. Feel free to ping me via email (details on the About Me page). I’ll try to help.
run vpxd -p to reset the database password and it should start.
[...] vCenter 4.1 http://www.gavinadams.org/blog/2010/07/14/replacing-vcenter-4-1-ssl-certificate-with-active-director... [...]
[...] Adams has a good “how to” on replacing the vCenter Server SSL certificate. It might be worth a read if you are in a situation that requires a valid SSL certificate on your [...]
Worked perfectly for me thanks very much.
Windows 2008 R2 – VCenter and Active Directory Cert Authority
ESXi4.0
VCenter 4.1
I’ve spent hours on this issue with a Vcenter instance using the embedded SQL Express database, and the “reset password” process creates a password that does not need to exist and then thhe web services stack will not restart cleanly. I seem to have resolved this by renaming the “3″ registry key in the Vcenter settings
In the “openssl pkcs12″ command, you must use “pass:testpassword”. Otherwise Tomcat fails with the symptom that Performance Overview charts won’t display in the vSphere client. If you used a different password, you can edit C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml, changing “keystorPass=testpassword” to the password you actually used. Sometimes you really wonder “What were they thinking in VMware land?” Here’s another article on this issue from IBM: “unable to enable plug-ins in vCenter 4.0″ at http://www-01.ibm.com/support/docview.wss?uid=isg3T1011813.
Hi! I have a problem when I try to change the certificate.
When I invoke the method “reloadSslCertificate.SecurityManager shows: Method Invocation Result: vpx.fault.SecurityConfigFault. Can you help me with this?
I follow the pdf of VMware. THis document say that we need go to :
https:///mob/?moid=vpxd-securitymanager&vmodl=1
but I have an error there.
I recreated a new SSL cert and verified that it is working by going to the HTTPS site. The cert is correct and issued by our internal Windows CA. When I startup the VI client I get a certificate error and I click on the View Certificate button and it show me the old self signed certificate and not the new SSL certificate I created.
Not sure what I am missing here, so that it show the correct certificate. The proper vcenter services were restarted.
“I recreated a new SSL cert and verified that it is working by going to the HTTPS site. The cert is correct and issued by our internal Windows CA. When I startup the VI client I get a certificate error and I click on the View Certificate button and it show me the old self signed certificate and not the new SSL certificate I created.
Not sure what I am missing here,so that it show the correct certificate. The proper vcenter services were restarted.”
Hello Sean,
Did you manage to resolve this issue? I’m having the same problem and I was wondering if you please help me with some hint. Thank you very much!
Florin Stroe
Hi, I did this in my lab and it worked perfectly however when I tried it on our production server I get an error when I run the openssl pkcs12 -export command. A popup appears saying that openssl.exe has stopped working – Problem signature:
Problem Event Name: APPCRASH
Application Name: openssl.exe
Application Version: 0.0.0.0
Application Timestamp: 48af1937
Fault Module Name: msvcrt.dll
Fault Module Version: 7.0.7600.16385
Fault Module Timestamp: 4a5bda6f
Exception Code: c0000005
Exception Offset: 00009b60
OS Version: 6.1.7601.2.1.0.272.7
Locale ID: 5129
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Has anyone come accross this and found a solution.
Thanks.