Print View

How to create a certificate for vCenter using OpenSSL and a Microsoft Certificate Authority


The default vCenter certificate can be replaced with a certificate issues by a Microsoft Certificate Authority, so that clients will trust the certificate, the common name will be valid, and the certificate has a vaild date.

When accessed by a fully qualified domain name that matches the Common Name of the certificate via a web browser, or via the VMware vSphere Client, the connection will be made without prompting with certificate errors.

This assumes there is a trusted root CA certificate already deployed to domain workstations.


Install OpenSSL 0.98

From an Administrative command prompt:
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout rui.key  -out rui.csr
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'rui.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Perth
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Ether
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

From the internal Microsoft CA web site https://server/certsrv/

- Click Request a certificate
- Click advanced certificate request
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
- Paste the contents of the rui.csr file create above into Saved Request
- Select Web Server for Certificate Template
- Click Submit
- Select the Base 64 encoded radio button
- Click Download certificate

Save the certificate as rui.crt

Generate the PFX Certificate
C:\OpenSSL\bin>openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Replace the VirtualCenter Certificates

- Stop the VirtualCenter Server service with the following command:
The following services are dependent on the VMware VirtualCenter Server service.

Stopping the VMware VirtualCenter Server service will also stop these services.

   VMware VirtualCenter Management Webservices

Do you want to continue this operation? (Y/N) [N]: y

The VMware VirtualCenter Management Webservices service was stopped successfully.

The VMware VirtualCenter Server service is stopping........
The VMware VirtualCenter Server service was stopped successfully.

- Rename the existing rui.key, rui.crt and rui.pfx files in C:\ProgramData\VMware\VMware VirtualCenter\SSL

- Copy the rui.key, rui.crt and rui.pfx files created above to C:\ProgramData\VMware\VMware VirtualCenter\SSL

- From a command prompt enter the following commands, password and verify password when prompted:
C:\>CD "C:\Program Files\VMware\Infrastructure\VirtualCenter Server"
C:\Program Files\VMware\Infrastructure\VirtualCenter Server>vpxd -p

[2010-11-11 12:42:20.869 04432 info 'App'] Current working directory: C:\Program Files\VMware\Infrastructure\VirtualCenter Server
[2010-11-11 12:42:20.869 04432 info 'App'] Log path: C:\ProgramData\VMware\VMware VirtualCenter\Logs
[2010-11-11 12:42:20.885 04432 info 'App'] Initializing SSL
[2010-11-11 12:42:20.885 04432 info 'Libs'] Using system libcrypto, version 9080CF
[2010-11-11 12:42:22.307 04432 info 'App'] Vmacore::InitSSL: doVersionCheck = true, handshakeTimeoutUs = 120000000
Enter new DB password:
[2010-11-11 12:42:53.042 04432 info 'App'] Reset DB password succeeded.

- Restart the vCenter Services:
The VMware VirtualCenter Server service is starting...
The VMware VirtualCenter Server service was started successfully.

The VMware VirtualCenter Management Webservices service is starting.
The VMware VirtualCenter Management Webservices service was started successfully.



OpenSSL for Windows

Replacing vCenter Server Certificates

Replacing VirtualCenter Server Certificates

How to create a self-signed certificate for VirtualCenter using OpenSSL


VMware vCenter Server 4.1

Created: 10th November 2010
Updated: 10th November 2010

Print View

© 2005-2024 Jamie Morrison