vCenter 4.0/4.1 VUM SSL Certificate How-To

Update 2/11/2011: VMware has re-published the article and limited the applicability to 4.1 U1 (released 2/10/2011), since it directs you to use the new VMware Update Manager Utility. The new procedure is easier to follow and uses a new tool that makes it debut in 4.1 U1. However, IMHO, it’s still inadequate. So I wrote up the full procedure for VUM 4.1 U1 here.

Update 1/6/2011: VMware has retracted the public KB article that I referenced. There is no new ETA on a revised public version. However, the VMware techie said the basic steps should not change, so you can still follow the steps below.

A little over a year ago I posted a “hack” to reconfigure vCenter VUM 4.0 for a trusted SSL certificate. At that time VMware had no official guidance, and only a couple of days ago did VMware release an official KB article. In addition, “Abe” left some good comments a couple of months ago on my old blog post that came from an internal VMware KB article. The official article closely mirrors Abe’s steps.

I have vCenter and VUM running on Server 2008 R2 and on the D drive, so just to come full circle I’ll pull from Abe’s comments and the KB article, substituting the different paths for my environment. It’s really mind boggling that VMware doesn’t develop some simple GUI program that would create the certificate requests, then import them to ESXi hosts, vCenter, and VUM. The very complicated and time consuming effort to update all of the SSL certificates is really frustrating. Microsoft and HP make it vastly easier to use trusted SSL certificates. VMware’s process is the most convoluted and complicated that I know of.

These instructions work for vCenter 4.0 and 4.1 GA, BTW. For 4.1 U1, see my blog post here.

1. First you need to generate the trusted SSL certificates. To do this, follow steps 1 – 9 in my blogpost here.
2. Stop the VMware vCenter Update Manager service.
3. On your VUM server backup all the files in D:Program Files (x86)VMwareInfrastructureUpdate ManagerSSL.
4. Copy rui.key, rui.crt, rui.pfx to the SSL directory in the previous step.
5. Open an elevated command prompt and CD to D:Program Files (x86)VMwareInfrastructureUpdate Manager.
6. On one VERY long line type:

vciInstallUtils.exe -v localhost -p 80 -U {username} -P {password} -C “d:Program Files (x86)VMwareInfrastructureUpdate Manager” -L “C:UsersAll UsersVMwareVMware Update ManagerLogs” -I “d:Program Files(x86)VMwareInfrastructureUpdate Manager” –op install-keystore

7. Verify “Import and generation of certificate worked, install-keystore successful” is shown.
8. In the same command prompt type (as one line):

vciInstallUtils.exe -v localhost -p 80 -U {username} -P {password} -S “d:Program Files (x86)VMwareInfrastructureUpdate Managerextension.xml” -C “d:Program Files (x86)VMwareInfrastructureUpdate Manager” -L “C:UsersAll UsersVMwareVMware Update ManagerLogs” –op extupdate

9. Verify “The extension registration succeeded” is shown.
10. Start the VMware vCenter Update Manager Service.
11. Close the vSphere client, if open. Launch the vSphere client and connect to vCenter.
12. From the home page click on vCenter Service Status and verify it is healthy.

And there you have it! The official method to update your VUM SSL certificates. Again, why it took VMware this frigging long to tell customers how to do this is mind blowing. In the DoD using trusted SSL certificates is a requirement, so the lack of official VMware guidance was a real problem. Now VMware needs to make it 10x easier and GUI driven. Maybe in vSphere 7.0.

Print Friendly, PDF & Email

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
December 20, 2010 4:15 pm


I successfully used the same certificate files for vCenter and VUM, on the same server.

May 2, 2011 5:54 pm

For the first command line, there should be a space between the second mention of Program Files and (x86.
Also, with the second command if you copy and paste into Notepad/cmdline prior to making site-specific changes, the double quotes after the .xml are not registered as a closing arguement identifier.

May 10, 2012 9:02 pm

Hi Derek,
Thanks so much for the “manual” SSL cert update using the CLI.
For some reason the previous admin didn’t install VUM Utility.exe.