In the release notes of vCenter 4.0 Update 1 it mentions that the SSL thumbprint problem is solved. The bug in 4.0 caused various thumbprint entries buried deep in the ADAM LDAP database to not be updated when the certificates were replaced. That caused all kind of issues. Today I verified that vCenter 4.0 Update 1 solves the thumbprint problem.
Here’s the procedure I used to generate and install the vCenter certificates. Note that this doesn’t take care of the VUM SSL certificates. I’m still researching how to properly update those. Like my previous blog on updating ESXi SSL certificates, you need to install Open SSL. See this post, and follow the first three steps before proceeding.
- Execute: c:opensslbinopenssl req -new -nodes -out rui.csr
- At this point OpenSSL will prompt you for various parameters. Enter any information you wish, but make sure the Common Name is the FQDN of your vCenter server (.e.g. Q100VCTR01.contoso.net). Do not set a password.
- Use NotePad and copy the contents of rui.csr to the clipboard.
- Navigate to your Microsoft CA and select the option called something like “Submit a certificate request by using a base-64-encoded CMC….”
- On the Saved Request screen paste the contents of the clipboard, and change the certificate template to Web Server.
- Submit the request, then download the Base-64 encoded certificate (not the certificate chain). I saved the file as rui.cer into the c:OpenSSLCerts diretory.
- Rename privkey.pem rui.key
- Rename rui.cer (from step 6) to rui.crt
- Note in the following command you must use testpassword, not your own password. C:opensslbinopenssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
- In Explorer cut and paste the appropriate path into the address bar:
C:UsersAll UsersApplication DatavmwareVMware VirtualCenterSSL
C:Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSL
11. Highlight all files, right click, and Send to a Compressed Folder named backup keys.zip.
12. Stop the VMware Virtual Center Server service.
13. From the C:Opensslcerts directory copy rui.key, rui.crt and rui.pfx to the SSL directory shown above and overwrite all existing files.
14. Restart the VMware VirtualCenter Server and Vmware VirtualCenter Management WebServices services. Verify they start.
15. Browse to the HTTPS FQDN of the vCenter Server and verify the new certificate is being used.
You should update the vCenter SSL certificate PRIOR to creating any customization specifications. If you update the certificate afterwards, you will need to re-do your customization specifications since they rely on encryption parameters that get changed when you update the SSL certificate.