VMware vCenter 4.0 Update Manager SSL Certificates

You can check out the improved, and officially supported method here. This works for vCenter 4.0 and 4.1.

After a significant effort of research and trial and error, it appears I have gotten VMware Update Manager (VUM) 4.0 Update 1 to use SSL certificates generated from an internal Microsoft CA. This completes my quest to replace all SSL certificates that vCenter 4.0 U1 and ESXi 4.0 hosts use. This method is somewhat of a ‘hack’, but so far everything seems to be working well. I haven’t tried this with the gold release of vCenter Update Manager 4.0, so I can’t comment if this procedure works or not.

In my scenario I have VUM installed on a separate server from vCenter. This is a recommended best practice in larger environments. But I’d think this method works equally well with vCenter and VUM co-located on the same server. In that case, you should be able to re-use the certificates you generated for your vCenter server since they have the same FQDN.

1. Read my article about vCenter SSL certificate generation.
2. Perform the exact same steps to generate a certificate (steps 1-9) but use the FQDN of the VUM server, if it’s on a dedicated server.
3. Find the SSL directory path for Update Manager on your system. In my case it’s located at:
D:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
4. Compress all of the existing files in the SSL directory into a .ZIP for safe keeping.
5. Stop the VMware Update Manager Service.
6. Replace rui.crt, rui.key and rui.pfx with the new certificates.
7. De-Install VUM. Yes, remove it.
8. Re-install VUM using the exact same settings as your first install, and use the existing database.
9. Launch the vSphere client and open the vCenter Server Status window.
10. Verify everything has a green check, including all VMware Update Manager components.

If you see any errors about health service, or get weird login errors when launching the vSphere Client, something is broke. The key to this whole process is de-installing and re-installing VUM. This resets some credentials, the thumbprint in the ADAM instance, and uses the new certificates you installed. VMware should really make this easier!

You should also be able to pre-position the SSL certificates into the proper directory pior to ANY VUM installation, and it will use them. That would avoid a de-install and re-install. Depending on your installation parameters and whether you are x86 or x64, the directory path will vary.

Buy me a coffee

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
November 23, 2009 8:25 am

It seems to be very complex task. I have slightly different environment than you: 4 ESX (not ESXi) hosts, fresh 4.0 install, patched using VUM, with vCenter 4. Everything worked fine until I movet the vCenter to another server (different IP and hostname). Since then, I am not able to use VUM, probably resulting in the same certificate mess you had before. Now I upgraded vCenter to ver. 4U1. Hosts are still not at U1 stage because VUM is not working and I would like not to upgrade by booting from CD each host. Do you think I still need… Read more »

November 23, 2009 9:47 am

Hi Derek,

I wrestling with this one as well and encounter the following error while trying to reinstall Update Manager after removing it:

Error 25113.Setup failed to generate the JRE SSL keys.
Action ended 5:32:30: InstallFinalize. Return value 3.

Does this ring any bells at your end? FWIW, I’m current working with the latest vCenter update 1 bits.


Erwin Zoer

November 23, 2009 4:19 pm

Ewrin, I didn’t get that error. The de-install, re-install process worked for me but it may be fragile and very system dependent. Anonymous, If you moved vCenter to another host and its still using the old certificates, that could certainly cause a problem. I would connect to your vCenter web server and see what SSL certificate it’s using. The ADAM database that vCenter uses also stores SSL certificate information and FQDNs of the vCenter and VUM servers. I don’t know what the supported method is to migrate vCenter to a different host. If there’s not a public VMware document on… Read more »

September 14, 2010 10:13 am

I’ve been having issues even after following all steps mentioned in previous posts. I thought I’d post how I ended up getting this working to hopefully save someone else the trouble I went through. First, my environment:– Four ESXi hosts (ESXi 4.0.0 Build 256968)– vCenter 4.0 Update 1 (Build 208111)– VUM 4.0 Update 1– vCenter is installed on W2K8 SP2 running SQL 2008 SP1 Solution:1. Disconnect and remove all hosts from vCenter2. Stop vCenter services.3. Reset vCenter SQL database password by executing “vpxd.exe -p” from the vCenter installation directory.4. Restart vCenter services.5. Follow the procedure outlined in this blog to… Read more »

October 21, 2010 8:46 am

After seeing an internal vmware KB and modifying it a bit, here’s how I got it to work without reinstalling: Configure vCenter Update Manager to use CA Issued SSL Certs on the vCenter Server for VUM I have VMware installed to the D:\ modify to your needs:Backup D:\VMware\Infrastructure\Update Manager\SSL to \BackupStop VMware vCenter Update Manager ServicePreviously I created the certificate files with Open SSL as described aboveCopy the rui.key, rui.crt and rui.pfx from C:\ProgramData\VMware\VMware VirtualCenter\SSL to D:\VMware\Infrastructure\Update Manager\SSLRun the following commands from D:\VMware\Infrastructure\Update Manager\SSL using the local admin account and standard passwordvciInstallUtils.exe -v localhost -p 80 -U admin -P -C… Read more »

November 24, 2011 8:29 am

I had this same issue when trying to run an upgrade install from VUM from VC 4.1 U1 to U2.
What worked for me is to wait until you get the “press next to complete the upgrade” and then stopping the VMware vCenter Update Manager Service. Then the upgrade install completed successfully.

December 8, 2011 1:59 am

Stopping te VMware vCenter Update Manager service while upgrading did the trick for me too!!

January 20, 2012 5:28 am

For me too

March 15, 2012 7:43 am
Reply to  Anonymous

and me…