Purpose
Resolution
Requirements
- You need to install Microsoft Visual C++ 2008 Redistributable Package (x86) before installing OpenSSL.
- You must also download and install Win32 OpenSSL v0.9.8r.
Notes:- Only use the version mentioned above, as this is currently the only supported version.
- Ensure that Win32 OpenSSL is installed at c:\OpenSSL\bin\.
- Ensure that the root CA certificate is added to the Trusted Roots for the Computer Account on each machine that is used to connect to the vCenter Server.
- DNS is used for vCenter.
- vCenter Server is part of the domain and the domain administrator has access to it.
- You may need specify the environment variable for OpenSSL if running it from a different directory than the one specified here. For example, running the command set OPENSSL_CONF=
\openssl.conf specifies the path to the configuration file.
To generate SSL Cert Keys and sign it with an internal Root CA:
- Create the folder C:\temp\vcenter\oldssl and back up the old SSL keys.
- Create the folder C:\temp\vcenter\newssl to store the new SSL keys.
- Verify that the private key exists in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key.
- Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the temporary location C:\temp\vcenter\oldssl.
- Run this command to generate the new RSA private key (2048 bit) and the certificate request:
Note: Ensure that the common name is the FQDN of the server.
c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr
You see an output similar to:
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............................+++
......................................+++
writing new private key to 'rui.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:ONTARIO
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VMware
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:vcenter.maximum.local
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Note: Answer all the prompts in this output. - Run the dir command to list the directory:
C:\temp\vcenter\newssl>dir
You see an output similar to:
Volume in drive C has no label.
Volume Serial Number is 204A-99B1
Directory of C:\temp\vcenter\newssl
04/16/2010 03:50 PM.
04/16/2010 03:50 PM..
04/16/2010 03:50 PM 1,024 .rnd
04/16/2010 03:49 PM 1,675 privkey.pem
04/16/2010 03:50 PM 1,679 rui.key
04/16/2010 03:50 PM 1,005 rui.cs - From vCenter Server, open a web browser and browse to the certsrv URL for your Active Directory Certificate Authority.
- Select Request a certificate, Advanced certificate request, and then Submit a certificate using base-64.
- Paste the entire contents of the CSR (open in Notepad) in the Saved Request box and click Web Server for Certificate template. The certificate gets signed.
- In the next page, select Base 64 encoded then click Download certificate.
- Save the certificate as rui.crt in c:\temp\vcenter\newssl.
- Run this command to create the PFX fie from the private key and certificate:
c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx - Stop the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services.
To stop these services:- Click Start > Run, type services.msc, and click OK. The Services window opens.
- Right-click the service and click Stop.
- Copy all the files in the newssl directory to: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\, replacing the existing files in the directory.
- Re-enter the DB password when prompted. For more information, see VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates (1003070).
- Restart the services in this order:
- VMware VirtualCenter Server services
- VMware VirtualCenter Management Webservices
- Use a browser and navigate to the URL of vCenter Server. For example, https://vcenter.maximum.local.
- Verify if the certificate is valid.
Note: After restarting the services, you must reconnect to the ESX/ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship must to be established.
Based on VMware KB 1023688
