To generate SSL Cert Keys and sign it with an internal Root CA:
- Create the folder C:\temp\vcenter\oldssl and back up the old SSL keys.
- Create the folder C:\temp\vcenter\newssl to store the new SSL keys.
- Verify that the private key exists in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key.
- Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the temporary location C:\temp\vcenter\oldssl.
- Run this command to generate the new RSA private key (2048 bit) and the certificate request:
Note: Ensure that the common name is the FQDN of the server.
c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr
You see an output similar to:
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
writing new private key to 'rui.key'
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:ONTARIO
Locality Name (eg, city) :Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VMware
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) :vcenter.maximum.local
Email Address :
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password :
An optional company name :
Note: Answer all the prompts in this output.
- Run the dir command to list the directory:
You see an output similar to:
Volume in drive C has no label.
Volume Serial Number is 204A-99B1
Directory of C:\temp\vcenter\newssl
04/16/2010 03:50 PM .
04/16/2010 03:50 PM ..
04/16/2010 03:50 PM 1,024 .rnd
04/16/2010 03:49 PM 1,675 privkey.pem
04/16/2010 03:50 PM 1,679 rui.key
04/16/2010 03:50 PM 1,005 rui.cs
- From vCenter Server, open a web browser and browse to the certsrv URL for your Active Directory Certificate Authority.
- Select Request a certificate, Advanced certificate request, and then Submit a certificate using base-64.
- Paste the entire contents of the CSR (open in Notepad) in the Saved Request box and click Web Server for Certificate template. The certificate gets signed.
- In the next page, select Base 64 encoded then click Download certificate.
- Save the certificate as rui.crt in c:\temp\vcenter\newssl.
- Run this command to create the PFX fie from the private key and certificate:
c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
- Stop the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services.
To stop these services:
- Click Start > Run, type services.msc, and click OK. The Services window opens.
- Right-click the service and click Stop.
- Copy all the files in the newssl directory to: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\, replacing the existing files in the directory.
- Re-enter the DB password when prompted. For more information, see VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates (1003070).
- Restart the services in this order:
- VMware VirtualCenter Server services
- VMware VirtualCenter Management Webservices
- Use a browser and navigate to the URL of vCenter Server. For example, https://vcenter.maximum.local.
- Verify if the certificate is valid.
Note: After restarting the services, you must reconnect to the ESX/ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship must to be established.
Based on VMware KB 1023688