vCenter 5.1 SSL Pre-Staging Script

UPDATE 4/28/2013: VMware has released the vCenter Certificate Automation tool. This is a better tool for replacing the vCenter SSL certificates (post-install), and does not require pre-staging the certificates. Since this is an official tool, and does more than my pre-staging method, I strongly urge you to follow my refreshed vSphere 5.1 Update 1 instructions and use the VMware certificate tool instead of the script below.

Given the complexity and bugs with replacing the SSL certificates in vSphere 5.1, the method which seems to work pretty well is what I call vCenter 5.1 SSL pre-staging. In Part 2 of my vSphere 5.1 installation series, I show how to create the required SSL certificates. To make the installation a bit faster and less error prone, I wrote a super simple batch file that creates the required SSL directories and copies the certificates from Part 2 to the proper directories. You can then install the Inventory Service, vCenter, Web Client, and VUM with minimal fuss.

The batch file assumes the directory structure that I outlined in Part 2 is in place. Noteworthy is that the SSO service does not have a “default” directory for the SSL certificates, unlike the rest of the services. So I created one (see the first line in the batch file), which protects the SSO SSL certificates from getting messed with since configuration files point to their location. Thus using a “temp” location for the SSO SSL certificates is a bad idea, and will result in a broken install if/when those certificates are changed or deleted.

You can run the batch file after you complete Part 2, and before you proceed to any further sections. The SSO service still needs manual configuration for trusted SSL certs, but the rest of the services will automatically use the new certs.

After the batch file runs, you should see the rui.pfx, rui.key and rui.crt files in each of the SSL directories. You can proceed to Part 3 after you run the batch file.

mkdir c:\ProgramData\VMware\SingleSignOn\SSL
robocopy D:\Certs\SSO\ c:\ProgramData\VMware\SingleSignOn\SSL\ /XF rui.csr sso.cfg
copy D:\certs\Root64.cer C:\ProgramData\VMware\SingleSignOn\SSL\
mkdir "C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl"
robocopy D:\Certs\Inventory\ "C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl" /XF rui.csr inventory.cfg
mkdir "C:\ProgramData\VMware\VMware VirtualCenter\ssl"
robocopy D:\Certs\vCenter\ "C:\ProgramData\VMware\VMware VirtualCenter\ssl" /XF rui.csr vcenter.cfg
mkdir "C:\ProgramData\VMware\vSphere Web Client\ssl"
robocopy D:\Certs\WebClient\ "C:\ProgramData\VMware\vSphere web client\ssl" /XF rui.csr webclient.cfg
mkdir "C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL"
robocopy D:\Certs\VUM\  "C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL" /XF rui.csr vum.cfg
Buy me a coffee

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Derek Bannard
November 10, 2012 3:22 pm

Seems to be missing the ” /XF rui.csr vum.cfg” from the Update Manager portion.

Also the Log Browser SSL copy commands are missing.

November 18, 2012 2:48 pm

Hi Derek,

Do you know if you can pre-stage SSL certs for the other VMware products that use SSL, such as SRM, vCloud Director, Ops Manager?

Cheers….. =)

January 16, 2013 9:14 am

Any further incite on whether you can pre-stage the LogBrowser?

Reply to  AntonNoble2013

@anton: At this time I still have not tested pre-staging the LogBrowser.

February 3, 2013 3:55 pm

I looked on two different vCenter servers and cannot find a folder named “c:\ProgramData\VMware\SingleSignOn” on either system. Did I do something wrong twice during installation?

Reply to  Jeff Raimer

@Jeff: Probably not. That directory is not created by the VMware installers. You must create that yourself.