During the installation of VMware vCenter Server it creates a self-signed certificate which is used to secure communications between the vCenter server, the web console, and VIC. Most organizations will probably want to install their own SSL certificate from a trusted certificate authority. However, doing this is easier said than done. Hopefully the steps below are clear and easy to understand.
These instructions assume you have vCenter Server 4.0 installed and functioning on a Windows Server 2008 machine. Paths will be different on 2003.
1. Download OpenSSL here and install it on your vCenter Server. I chose the default directory of c:openSSL to make things easy.
2. I created a file called ‘certs’ in c:openssl to store all of the files we will be creating. I then ran the following command:
c:opensslbinopenssl req -new -nodes -out mycsr.csr
3. Answer the questions with your information and use the FQDN of your vCenter server as the ‘Common Name’. Don’t use a challenge password.
4. Submit the contents of the mycsr.csr file to your favorite CA and request a web server (SSL) certificate. If you use a Microsoft CA, download the certificate (only) as a base-64 encoded file. I saved the certificate as rui.cer in the c:opensslcerts folder.
5. In the certs folder rename privkey.pem to rui.key and rename rui.cer to rui.crt.
6. Execute the following command (including the testpassword):
C:opensslbinopenssl pkcs12 -export -in rui.crt –inkey rui.key -name rui –passout pass:testpassword -out rui.pfx
7. In Explorer cut and paste the following path into the address bar (for 2008 only):
C:UsersAll UsersApplication DatavmwareVMware VirtualCenterSSL
8. Highlight all of the files, right click, and Send to a Compressed Folder named BackupKeys.zip.
9. Stop the Vmware Virtual Center Server service.
10. From the c:opensslcerts directory copy rui.key, rui.crt and rui.pfx to the SSL directory, overwriting all the existing files.
11. Restart the VMware VirtualCenter Server and VMware VirtualCenter Management WebServices services. Verify they restart.
12. Reboot your vCenter Server. Open IE, then navigate to HTTPS:// FQDN of your vCenter server. Check the SSL certificate by clicking on the lock icon in the address bar and verify the certificate was the one issued by your CA.
Your new certificate is now protecting the vCenter Server. If you connect to vCenter with VIC you should not get a SSL warming. HOWEVER: If you have VMware Update Manager (VUM) installed, then when you launch VIC to connect to vCenter Server you will still get a warning about the SSL certificate and if you view the details your new certificate is NOT being used.
Why? The reason for this is that VUM creates its own self-signed SSL certificates and the VUM client checks these SSL certificates when you launch VIC. Since they are self-signed, VIC will display a warning message just as if your vCenter certificates were self-signed. Stay tuned for a future blog on updating the VUM certificates.
