The default vCenter certificate can be replaced with a certificate issues by a Microsoft Certificate Authority, so that clients will trust the certificate, the common name will be valid, and the certificate has a vaild date.
When accessed by a fully qualified domain name that matches the Common Name of the certificate via a web browser, or via the VMware vSphere Client, the connection will be made without prompting with certificate errors.
This assumes there is a trusted root CA certificate already deployed to domain workstations.
Install OpenSSL 0.98
From an
Administrative command prompt:
C:\OpenSSL\bin>openssl req -new -newkey rsa:1024 -nodes -keyout rui.key -out rui.csr
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to 'rui.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Perth
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Ether
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:vcenter.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
From the internal Microsoft CA web site
https://server/certsrv/
- Click
Request a certificate
- Click
advanced certificate request
- Click
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
- Paste the contents of the
rui.csr file create above into
Saved Request
- Select
Web Server for
Certificate Template
- Click
Submit
- Select the
Base 64 encoded radio button
- Click
Download certificate
Save the certificate as
rui.crt
Generate the PFX Certificate
C:\OpenSSL\bin>openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
Replace the VirtualCenter Certificates
- Stop the VirtualCenter Server service with the following command:
C:\>NET STOP VPXD
The following services are dependent on the VMware VirtualCenter Server service.
Stopping the VMware VirtualCenter Server service will also stop these services.
VMware VirtualCenter Management Webservices
Do you want to continue this operation? (Y/N) [N]: y
The VMware VirtualCenter Management Webservices service was stopped successfully.
The VMware VirtualCenter Server service is stopping........
The VMware VirtualCenter Server service was stopped successfully.
- Rename the existing rui.key, rui.crt and rui.pfx files in C:\ProgramData\VMware\VMware VirtualCenter\SSL
- Copy the rui.key, rui.crt and rui.pfx files created above to C:\ProgramData\VMware\VMware VirtualCenter\SSL
- From a command prompt enter the following commands, password and verify password when prompted:
C:\>CD "C:\Program Files\VMware\Infrastructure\VirtualCenter Server"
C:\Program Files\VMware\Infrastructure\VirtualCenter Server>vpxd -p
[2010-11-11 12:42:20.869 04432 info 'App'] Current working directory: C:\Program Files\VMware\Infrastructure\VirtualCenter Server
[2010-11-11 12:42:20.869 04432 info 'App'] Log path: C:\ProgramData\VMware\VMware VirtualCenter\Logs
[2010-11-11 12:42:20.885 04432 info 'App'] Initializing SSL
[2010-11-11 12:42:20.885 04432 info 'Libs'] Using system libcrypto, version 9080CF
[2010-11-11 12:42:22.307 04432 info 'App'] Vmacore::InitSSL: doVersionCheck = true, handshakeTimeoutUs = 120000000
Enter new DB password:
again:
[2010-11-11 12:42:53.042 04432 info 'App'] Reset DB password succeeded.
- Restart the vCenter Services:
C:\>NET START VPXD
The VMware VirtualCenter Server service is starting...
The VMware VirtualCenter Server service was started successfully.
C:\>NET START VCTOMCAT
The VMware VirtualCenter Management Webservices service is starting.
The VMware VirtualCenter Management Webservices service was started successfully.