In the release notes of vCenter 4.0 Update 1 it mentions that the SSL thumbprint problem is solved. The bug in 4.0 caused various thumbprint entries buried deep in the ADAM LDAP database to not be updated when the certificates were replaced. That caused all kind of issues. Today I verified that vCenter 4.0 Update 1 solves the thumbprint problem.
Here’s the procedure I used to generate and install the vCenter certificates. Note that this doesn’t take care of the VUM SSL certificates. I’m still researching how to properly update those. Like my previous blog on updating ESXi SSL certificates, you need to install Open SSL. See this post, and follow the first three steps before proceeding.
- Execute: c:opensslbinopenssl req -new -nodes -out rui.csr
- At this point OpenSSL will prompt you for various parameters. Enter any information you wish, but make sure the Common Name is the FQDN of your vCenter server (.e.g. Q100VCTR01.contoso.net). Do not set a password.
- Use NotePad and copy the contents of rui.csr to the clipboard.
- Navigate to your Microsoft CA and select the option called something like “Submit a certificate request by using a base-64-encoded CMC….”
- On the Saved Request screen paste the contents of the clipboard, and change the certificate template to Web Server.
- Submit the request, then download the Base-64 encoded certificate (not the certificate chain). I saved the file as rui.cer into the c:OpenSSLCerts diretory.
- Rename privkey.pem rui.key
- Rename rui.cer (from step 6) to rui.crt
- Note in the following command you must use testpassword, not your own password. C:opensslbinopenssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
- In Explorer cut and paste the appropriate path into the address bar:
Server 2008/R2:
C:UsersAll UsersApplication DatavmwareVMware VirtualCenterSSL
Server 2003/R2:
C:Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSL
11. Highlight all files, right click, and Send to a Compressed Folder named backup keys.zip.
12. Stop the VMware Virtual Center Server service.
13. From the C:Opensslcerts directory copy rui.key, rui.crt and rui.pfx to the SSL directory shown above and overwrite all existing files.
14. Restart the VMware VirtualCenter Server and Vmware VirtualCenter Management WebServices services. Verify they start.
15. Browse to the HTTPS FQDN of the vCenter Server and verify the new certificate is being used.
You should update the vCenter SSL certificate PRIOR to creating any customization specifications. If you update the certificate afterwards, you will need to re-do your customization specifications since they rely on encryption parameters that get changed when you update the SSL certificate.
Hi Derek,
I was wondering whether or not you did not have to run ‘vpxd -p’ to reset the database password to make this work.
I’m currently working on an automated build of vCenter 4.0. update 1 and cannot get it to work without executing this step between 13 and 14.
I look forward to hearing from you.
Erwin Zoer
This guide has been very helpful. Thank you.
It would appear to me that you do not have to reset the password with “vpxd -p” if you are using VCenter with SQL Express. In our test environment with SQL Express we did not have to reset the password. In fact we are not sure how since there is no System DSN to even see what account VCenter is using.
I actually had to revert to a backup of the vCenter server after I ran ‘vpxd -p’ following the certificate update. While the vCenter services started, I could not [re]connect to any of the servers. I kept getting the following error: “Call “Datacenter.QueryConnectionInfo” for object “[VM Server]” on vCenter Server “[vCenter server]” failed. Perhaps there is a built-in password SQL Express uses, and when changed, vCenter could no longer connect to it? What password do you use when resetting it with ‘vpxd -p’? Anyway, once I reverted to the pre- ‘vpxd -p’ state of the vCenter server, the certificate upgrade… Read more »
I’d like to amplify on step 9, which states that in the “openssl pkcs12? command, you must use “pass:testpassword”. Otherwise Tomcat fails with the symptom that Performance Overview charts won’t display in the vSphere client. If you use a different password, you can edit C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml, changing “keystorPass=testpassword” to the password you actually used. Sometimes you really wonder “What were they thinking in VMware land?” Here’s another article on this issue from IBM: “unable to enable plug-ins in vCenter 4.0? at http://www-01.ibm.com/support/docview.wss?uid=isg3T1011813. Cheers, Jeff.
Just recently ran through this scenario and was looking at multiple write-ups about how to do this. I did the vpxd -p and it screwed up my connections to all of my vCenter hosts. After playing with it for hours I came to a very simple realization: vpxd -p must be run ONLY on environments that are using SQL authentication to the database. If you are using Windows/AD authentication to the database then running this command will cause it to try and use the password you enter every time it connects, which obviously breaks things. You can check your connection… Read more »