Portal Home > Knowledgebase > VMware Knowledge Base > Generating Domain Root CA signed certificates for vCenter Server

Generating Domain Root CA signed certificates for vCenter Server


This article provides the information on how to generate SSL Cert Keys and sign it with an internal Root CA, so that all components on vCenter Server work properly.



  • You need to install Microsoft Visual C++ 2008 Redistributable Package (x86) before installing OpenSSL. 

  • You must also download and install Win32 OpenSSL v0.9.8r. 

    • Only use the version mentioned above, as this is currently the only supported version.
    • Ensure that Win32 OpenSSL is installed at c:\OpenSSL\bin\.
    • Ensure that the root CA certificate is added to the Trusted Roots for the Computer Account on each machine that is used to connect to the vCenter Server.
    • DNS is used for vCenter.
    • vCenter Server is part of the domain and the domain administrator has access to it.
    • You may need specify the environment variable for OpenSSL if running it from a different directory than the one specified here. For example, running the command set OPENSSL_CONF=\openssl.confspecifies the path to the configuration file.
To generate SSL Cert Keys and sign it with an internal Root CA:
  1. Create the folder C:\temp\vcenter\oldssl and back up the old SSL keys.
  2. Create the folder C:\temp\vcenter\newssl to store the new SSL keys.
  3. Verify that the private key exists in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key.
  4. Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the temporary location C:\temp\vcenter\oldssl.
  5. Run this command to generate the new RSA private key (2048 bit) and the certificate request:

    Note: Ensure that the common name is the FQDN of the server.

    c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr

    You see an output similar to:

    Loading 'screen' into random state - done
    Generating a 2048 bit RSA private key
    writing new private key to 'rui.key'
    You are about to be asked to enter information that will be incorporated
     into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:CA
    State or Province Name (full name) [Some-State]:ONTARIO
    Locality Name (eg, city) []:Toronto
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:VMware
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:vcenter.maximum.local
    Email Address []:
    Please enter the following 'extra' attributes
     to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Note: Answer all the prompts in this output.

  6. Run the dir command to list the directory:


    You see an output similar to:

    Volume in drive C has no label.
    Volume Serial Number is 204A-99B1
    Directory of C:\temp\vcenter\newssl
    04/16/2010 03:50 PM .
    04/16/2010 03:50 PM ..
    04/16/2010 03:50 PM 1,024 .rnd
    04/16/2010 03:49 PM 1,675 privkey.pem
    04/16/2010 03:50 PM 1,679 rui.key
    04/16/2010 03:50 PM 1,005 rui.cs

  7. From vCenter Server, open a web browser and browse to the certsrv URL for your Active Directory Certificate Authority.
  8. Select Request a certificateAdvanced certificate request, and then Submit a certificate using base-64.
  9. Paste the entire contents of the CSR (open in Notepad) in the Saved Request box and click Web Server for Certificate template. The certificate gets signed.
  10. In the next page, select Base 64 encoded then click Download certificate.
  11. Save the certificate as rui.crt in c:\temp\vcenter\newssl.
  12. Run this command to create the PFX fie from the private key and certificate:

    c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

  13. Stop the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services.

    To stop these services:
    1. Click Start > Runtype services.msc, and click OK. The Services window opens.
    2. Right-click the service and click Stop.

  14. Copy all the files in the newssl directory to: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\, replacing the existing files in the directory.
  15. Re-enter the DB password when prompted. For more information, see VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates (1003070).
  16. Restart the services in this order:
    • VMware VirtualCenter Server services
    • VMware VirtualCenter Management Webservices

  17. Use a browser and navigate to the URL of vCenter Server. For example, https://vcenter.maximum.local.
  18. Verify if the certificate is valid.

Note: After restarting the services, you must reconnect to the ESX/ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship must to be established.

Based on VMware KB 1023688

Also Read