SSL certificate replacement of vCenter Server 5.5 & components.


General Info:

SSL files which will be used in the process:
  1. .CRT - The actual certificate
  2. .CSR - Certificate Signing Request, this is required to generate the actual certificate .CRT
  3. .PEM - Privacy Enhanced mail - container for certificate, chain, key etc
  4. .KEY - This is a PEM formatted file containing just the private-key of a specific certificate

There are seven separate components in vCenter Server 5.5 that utilize certificates to encrypt communication
  1. SSO
  2. Inventory Service
  3. vCenter Server
  4. Web Client
  5. Log Browser
  6. Orchestrator
  7. Update Manager

Here is what we are gonna do:
  1. Download the SSL Automation tool
  2. Generate the CSR file
  3. Install & Configure Microsoft Certification Authority
  4. Generates the required certificates
  5. Generating PEM files
  6. Edit the SSL automation tool configuration file
  7. Update certificates & trust

Confirm what certificate are being used currently so as to compare after the process is completed.



Download the SSL Automation tool
Version 5.5 of the tool is supported with vSphere 5.5
As a best practice use https://my.vmware.com/web/vmware/details?downloadGroup=SSLTOOL550&productId=353

Save the folder in C drive
C:\ssl-certificate-updater-tool-1308332


Generate the CSR file
Under the folder 'ssl-certificate-updater-tool-1308332' find the file 'ssl-environment.bat' > Right Click > Edit
Go to "The following parameters will be used to generate a CSR."
Fill in the below fields
################
set gen_cert_server_fqdn=55-SSL.rock.com
set gen_cert_server_ip=10.125.224.126
set gen_cert_server_short_name=55-SSL
set gen_cert_country=IN
set gen_cert_state=KAR
set gen_cert_locality_name=BLR
set gen_cert_organization_name=VMware
################
leave 'gen_cert_organizational_unit_name' blank
Save the file

Open CMD in administrator mode
Browse to C:\ssl-certificate-updater-tool-1308332
Type - ssl-updater.bat
Select option 2 to generate certificates requests
I will be focusing on the main vCenter components
  • SSO
  • Inventory Service
  • vCenter Server
  • vSphere Web Client
The tool will automatically pick the values from ssl-environment file so just jeep tapping 'Enter'




If not sure then pick the FQDN from 'regedit'











All the CSR & KEY files are in C:\ssl-certificate-updater-tool-1308332\requests\
Create a folder 'c:\certs'
Copy/paste contents from C:\ssl-certificate-updater-tool-1308332\requests\ to c:\certs\






 Rename the folders to easy names


Copy c:\certs folder to desktop of Microsoft CA machine.




Generate the required certificates
Note: Make sure the Microsoft CA is configured to create vCenter server certificate - http://sslvc101.blogspot.in/p/blog-page.html

Login to http://localhost/certsrv
Note: Use IE (recommended) as other browsers behave differently & generates CER file which then again need to be renamed to CRT file.
Click the 'Request a certificate' link.
Click 'advanced certificate request'.
Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
Open the certificate request in a plain text editor and paste the text from the Begin to the End request into the Saved Request box:
Note: Do not copy the actual -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Only copy the text in between these lines. You may see = (equal) signs near the Begin and End lines (for example, ==-----END). In this case, you must copy the = (equal) signs.
Select the Certificate Template as 'VMware SSL' template.
Click Submit to submit the request.
Click Base 64 encoded on the Certificate issued screen.
Click the Download Certificate link.
Select 'Save As' > rui.crt in the appropriate c:\certs\<service> folder.
Do for all vCenter components































Generate Root64.cer
Copy the certs folder from vCenter machine to Microsoft CA machine
Get the Root64 cert
Navigate to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
Click the Base 64 option.
Click the Download CA Certificate chain link.
Save the certificate chain as cachain.p7b in the c:\certs folder.
Double-click the cachain.p7b file and navigate to C:\certs\cachain.p7b > Certificates.
Right-click the certificate listed and click All Actions > Export.
Click Next.
Select Base-64 encoded X.509 (.CER), then click Next.
Save the export to C:\certs\Root64.cer and click Next.











Copy/merge the 'certs' folder to VC machine & put it in C drive.
Confirm that the vCenter machine has a folder c:\certs with vCenter components folder with three files each (rui.crt, rui.csr & rui.key) & Root64.crt






Creating PEM file
Copy the folder back to VC machine
Create PEM file for each service by going into each folder from command prompt

copy /B rui.crt + C:\certs\root64.cer chain.pem

Note: Do this if there is Subordinate CA in certification path of cert
copy /B rui.crt + C:\certs\root64-2.cer + C:\certs\root64-1.cer chain.pem







Edit the SSL automation tool configuration file
In the folder C:\ssl-certificate-updater-tool..., edit the ssl-environment.bat as follows:
set sso_cert_chain=C:\certs\sso\chain.pem
set sso_private_key=C:\certs\sso\rui.key
set sso_node_type=single
set sso_admin_is_behind_lb=
set sso_lb_certificate= set sso_lb_hostname=
set is_cert_chain=C:\certs\inventory\chain.pem
set is_private_key_new=C:\certs\inventory\rui.key
set vc_cert_chain=C:\certs\vCenter\chain.pem
set vc_private_key=C:\certs\vCenter\rui.key
set ngc_cert_chain=C:\certs\WebClient\chain.pem
set ngc_private_key=C:\certs\WebClient\rui.key
set logbrowser_cert_chain=C:\certs\LogBrowser\chain.pem
set logbrowser_private_key=C:\certs\LogBrowser\rui.key
set vco_cert_chain=C:\certs\Orchestrator\chain.pem
set vco_private_key=C:\certs\Orchestrator\rui.key
set vum_cert_chain=C:\certs\UpdateManager\chain.pem
set vum_private_key=C:\certs\UpdateManager\rui.key
set sso_admin_user=administrator@vsphere.local
set vc_username=administrator@vsphere.local
set last_error=
set ROLLBACK_BACKUP_FOLDER=
set LOGS_FOLDER=






Update certificates & trust
Open CMD in administrator mode
Browse to C:\ssl-certificate-updater-tool...
Type - ssl-updater.bat
Select 1 for 'Plan your steps to update SSL certificates'
Select the services you wish to update
Copy the steps in a note pad & proceed























Check if the certificates have been picked up










18 comments:

  1. UnknownSeptember 21, 2016 at 11:57 PM

    Very much useful and intersting steps about vmware ssl certificate. keep sharing more about vmware technolokgies.
    VMware Training in Chennai

    ReplyDelete
  2. jnrmanagementJanuary 30, 2017 at 4:19 AM

    Cyber security is one of the most important measures that we should consider. Thanks for the great piece of content. The info is great. Audience can visit for more information

    ReplyDelete
  3. UnknownFebruary 2, 2017 at 4:24 AM

    very useful post, thanks for share.

    ssl certificates

    ReplyDelete
  4. UnknownFebruary 22, 2017 at 7:56 AM

    Do you have a guide replacing ESXi certificate?

    ReplyDelete
    Replies
    1. GriperNovember 15, 2017 at 1:26 AM

      Derek Seaman;s tool will do all that for you including requesting the certs and replacing them on the ESX hosts: https://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-8-mint-certificates.html

      Delete
  5. AnonymousMarch 18, 2017 at 3:13 AM

    Excellent blog with clear step by step images. We can clearly understood about what is SSL and How to use SSL Certificate in Chennai.

    ReplyDelete
  6. UnknownMay 9, 2017 at 7:57 AM

    Excellent blog.. Thank you for sharing it :)

    ReplyDelete
  7. UnknownMay 16, 2017 at 11:10 PM

    Bhai..How are you

    ReplyDelete
  8. JApril 6, 2018 at 10:28 AM

    This worked great! The screenshots really helped!

    ReplyDelete
  9. UnknownJuly 12, 2018 at 7:48 AM

    Got below error while updating InventoryService:

    Last operation update Inventory Service SSL certificate failed :
    openssl.exe Cannot generate Inventory Service rui.pfx - errorlevel is 1

    ReplyDelete
  10. Prabhu SinghNovember 19, 2018 at 5:21 AM

    Excellent Post Shobhit Mathur !!!
    I was able to fix the SSL certificate issue by just following your article. We were stuck at VC upgrade because of SSL cert issue. Now I have upgraded the VC to 6.5 from 5.5 with help your post. Even VMware suggested to reinstall the VC as there is no workaround and re

    Thanks Much buddy...

    ReplyDelete
  11. DIACDecember 6, 2018 at 3:43 AM

    Engineering or B.Tech is still one of the mainly demanding and future options for students, after doing graduation from colleges. You can join us to get certification in Industrial Automation field and grab 100% placement opportunity in core industry. Call today : 9953489987, 9711287737.

    ReplyDelete
  12. priyaJanuary 22, 2019 at 3:24 AM

    This is quite educational arrange. It has famous breeding about what I rarity to vouch. Colossal proverb. This trumpet is a famous tone to nab to troths. Congratulations on a career well achieved. This arrange is synchronous s informative impolite festivity to pity. I appreciated what you ok extremely here.
    Data Science training in rajaji nagar
    Data Science with Python training in chennai
    Data Science training in electronic city
    Data Science training in USA
    Data science training in pune
    Data science training in bangalore

    ReplyDelete
  13. manishaMarch 2, 2019 at 2:02 AM


    Thank you for sharing such great information very useful to us.
    Vmware Training in Gurgaon

    ReplyDelete
  14. shinyMarch 7, 2019 at 12:25 AM

    Very clear explanation regarding automation.Actually i was in search for this for long term.Thanks you provided me a solution.
    motorola mobile service centre in chennai
    moto g service center in chennai
    motorola service center in velachery
    motorola service center in t nagar
    motorola service center in vadapalani

    ReplyDelete
  15. manishaOctober 12, 2019 at 3:27 AM

    Thanks for sharing such a great blog Keep posting.. 
    VMware Training in Delhi
    VMware Course in Delhi

    ReplyDelete
  16. AnonymousNovember 1, 2019 at 10:48 PM

    Thanks for sharing your knowledge. It's very useful for me and detailed and informative one. Keep doing the same.
    Vmware Traning in Electronic City

    ReplyDelete
  17. UnknownApril 5, 2022 at 1:24 AM

    Awesome blog, thank you very much. This helped me to update the certs successfully.

    ReplyDelete

Subscribe to: Posts (Atom)