Ok, so we have now self signed our own SSL Certificate for the vCenter Server. Let's first look at the steps that we need to take in order to replace the SSL Certificate for the vCenter Server.
The procedure for replacing the SSL Certificates for VMware vCenter Server involves:
- Disconnect all ESH hosts that are being managed by the vCenter Server
- Stop the vCenter Server services
- Create a backup of the existing SSL Certificate files
- Replace the Existing SSL Certificate files with the new SSL Certificate files
- Reset the VMware vCenter Database Password
- Start the VMware vCenter Services
- Reconnect all ESX hosts managed by the vCenter Server
Ok, let's begin:
Disconnect all ESX hosts managed by the vCenter Server
In order to replace the SSL Certificates for a vCenter Server, all ESX hosts that are managed by that vCenter Server need to be disconnected from the vCenter Server.
Important: If multiple vCenter Servers are configured as Linked-Mode, it is only necessary to disconnect the ESX hosts that are being managed by the vCenter Server that is currently having its SSL Certificates replaced. There is no need to disconnect ESX hosts that are managed by other vCenter Servers in the Link-Mode configuration. There is also no need to break the Linked-Mode configuration between the vCenter Servers. I have also seen posts on the community forums that suggest that you shut down all VMs running on all ESX hosts managed by the vCenter Server. This statement is not correct. There is no need to evacuate VMs from any ESX hosts.
Open the vSphere client and connect to the vCenter Serrver. Make sure that the "Hosts and Clusters" view is selected. Right click on each ESX host in turn and click "Disconnect".
Stop the vCenter Server Services
Before we can replace the SSL Certificates we need to first stop the vCenter Server Serivices.
Open the Services Management Console (Start -> Run -> services.msc -> OK
The Services Management Console Opens. Scroll down and locate the following two services:
- VMware VirtualCenter Management Webservices
- VMware VirtualCenter Server
Right-click on the "VMware VirtualCenter Server " service and click "Stop"
A message will appear stating that when the VMware VirtualCenter Server stops, the VMware VirtualCenter Webservices service will also be stopped. Acknowledge the message by clicking “Yes”
Create a backup of the existing SSL Certificate files
Using Windows Explorer, browse to the following location on the vCenter Server:
C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\
The directory will contain the following three files:
- rui.crt
- rui.key
- rui.pfx
Create a new folder called "Backup". Once the folder has been created, move the rui.crt, rui.key, rui.pfx files into the Backup folder.
Copy the new SSL files from the OpenSSL-Win32\Bin folder on the Certificate Authority Server to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\
As the VMware vCenter database password has been encrypted using the original SSL Certificate when vCenter was installed, the vCenter Server Service will not be able to use the new SSL Certificate in order to decrypt the stored password. We therefore need to reset the vCenter database password and encrypt the password using the new SSL Certificate.
Open a new command prompt window and browse to the Program Files directory where VMware vCenter Server is installed. In the example below, vCenter Server is installed on a 64-bit operating system and is therefore installed at “D:\Program Files (x86)\VMware\Infrastructure\VirtualCenter Server\”, however the default installation path for vCenter Server when installed on a 32-bit operating system is “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\”
To reset the password, type: “vpxd.exe –p” and press <Enter>. When prompted to enter a new DB password, enter a new password for the vCenter Database and press <Enter>. Enter the password again to verify the entry and press <Enter>. Confirm that “Reset DB password succeeded” is displayed.
Go back to the Services Management Console and find the following two services:
- VMware VirtualCenter Management Webservices
- VMware VirtualCenter Server
Right-click on the "VMware VirtualCenter Server" service and click "Start"
Once the VMware VirtualCenter Server service has started, right-click on the VMware VirtualCenter Management Webservices and click "Start".
Once the steps above have been followed, the VMware vCenter Server will be using the new SSL certificates. Please bear in mind that the SSL certificate was signed for a specific host based on the host's FQDN. Therfore in order to avoid being presented with a SSL certificate warning, the FQDN of the vCenter server should now be used when loggin into vCenter with the vSphere client.
Comments (0)