Vsp 51 Vcserver Esxi Certificates

Replacing Default vCenter 5.1 and ESXiCertificates

vCenter Server 5.1.0ESXi 5.1.0

This document supports the version of each product listed andsupports all subsequent versions until the document is replacedby a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.

EN-000980-04

http://www.vmware.com/support/pubs

Replacing Default vCenter 5.1 and ESXi Certificates

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2009–2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

http://www.vmware.com/support/

mailto:[email protected]

http://www.vmware.com/go/patents

Contents

About vCenter and ESXi Certificates 5

vCenter and ESXi SSL Certificate Requirements 5Managing ESXi and vCenter Server SSL Certificates 6Obtain and Configure Certificate Authorities Signed SSL Certificates 6Update the Certificate Trust Store for vCenter Server Components 33Troubleshooting vCenter Server Certificates 34

VMware, Inc. 3


4 VMware, Inc.

About vCenter and ESXi Certificates

vSphere encrypts session information using standard digital certificates. Using the default certificates thatvSphere creates might not comply with the security policy of your organization. If you require a certificatefrom a trusted certificate authority, you can replace the default certificate.

Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However,ESXi and vCenter Server use automatically generated certificates that are created as part of the installationprocess and stored on the server system. These certificates are unique and make it possible to begin using theserver, but they are not verifiable and are not signed by a trusted, well-known certificate authority (CA). Thesedefault certificates are vulnerable to possible man-in-the-middle attacks.

To receive the full benefit of certificate checking, especially if you intend to use encrypted remote connectionsexternally, install new certificates that are signed by a valid internal certificate authority or public keyinfrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority.

For information about encryption and securing your vSphere environment, see the vSphere Securitydocumentation.

Intended AudienceThis information is for anyone who wants to manage SSL certificates for vCenter components. The informationis written for experienced Windows or Linux system administrators who are familiar with virtual machinetechnology and datacenter operations.

This chapter includes the following topics:

n “vCenter and ESXi SSL Certificate Requirements,” on page 5

n “Managing ESXi and vCenter Server SSL Certificates,” on page 6

n “Obtain and Configure Certificate Authorities Signed SSL Certificates,” on page 6

n “Update the Certificate Trust Store for vCenter Server Components,” on page 33

n “Troubleshooting vCenter Server Certificates,” on page 34

vCenter and ESXi SSL Certificate RequirementsVMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent overSecure Socket Layer (SSL) protocol connections between components.

For example, communications between a vCenter Server system and each ESXi host that it manages areencrypted. Some features, such as vSphere Fault Tolerance, require the certificate verification provided by SSL.The client verifies the authenticity of the certificate presented during the SSL handshake phase, beforeencryption, which protects against man-in-the-middle attacks.

VMware, Inc. 5

Each vCenter Server system component , shown in the following list, must have a unique certificate.

n vCenter Inventory Service

n vCenter Single Sign-On

n vCenter Update Manager

n vCenter Server

n vSphere Web Client

n vCenter Log Browser

When you replace default vCenter and ESXi certificates, the certificates you obtain for your servers must besigned and conform to the Privacy Enhanced Mail (PEM) key format. PEM is a key format that stores data ina Base-64 encoded Distinguished Encoding Rules (DER) format.

The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 1024to 2048 bits (the recommended length).

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on theWindows operating system. However, if you replace a certificate with one signed by your own local root CA,or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into thelocal certificate store for each vSphere Client instance.

You must pre-trust all certificates that are signed by your own local root CA, unless you pre-trust the parentcertificate, the root CA’s own certificate. You must also pre-trust any valid default certificates that you willcontinue to use on vCenter Server.

Managing ESXi and vCenter Server SSL CertificatesCertificate Authority (CA) assigned SSL certificates for vSphere are required within many organizations tomaintain proper security for regulatory requirements.

Prerequisites

Each vCenter Server component requires a unique certificate. Before you begin creating, installing, andreplacing SSL certificates, be sure that your vSphere environment meets the following criteria.

n vSphere 5.1.0a or later

n All components for which you are managing certificates are installed

n OpenSSL 0.9.8 (required)

The tasks in this document assume that you installed OpenSSL in the default directory (C:\OpenSSL-Win32). If you installed OpenSSL in a different directory, adjust the paths as needed.

Obtain and Configure Certificate Authorities Signed SSL CertificatesObtain and configure SSL certificates and certificate requests needed to get CA-signed SSL certificates.

NOTE For better security, private keys should not leave the system for which they are created.

Because a private key should not leave the system for which it was created, the following are best practiceswhen creating and obtaining certificates and generating requests.

n When you create OpenSSL configuration files, create them on the same system as the component whosecertificate you are changing. This should be the same system on which the current certificate is located.

n When you generate certificate requests, generate them on the same system on which the correspondingcomponent is located.


6 VMware, Inc.

n When you get an SSL certificate, download the returned certificate from a CA (and its root) directly to thesystem on which the corresponding component resides (certificate + private key).

Procedure

1 Create the OpenSSL Configuration Files on page 7Each of the six vCenter components requires a unique certificate. On the component for which yougenerate the certificates, create a folder in which you can store the certificates.

2 Get the SSL Certificate on page 15After the certificate request is created, send the request to the certificate authority to generate the actualcertificate. The authority returns a certificate and, if appropriate, a copy of the authority's root certificate.

3 Create the PFX Files on page 16The rui.pfx file is a concatenation of the system’s certificate (rui.crt) and private key (rui.key), exportedin the PFX format. The file is copied to the subdirectory on the vCenter Server system.

4 Create the JKS File on page 17After the PFX files are created you can create the Java Keystore file (JKS) for use with the configuration.

5 Replacing Default vCenter and ESXi Certificates on page 18Replacing default SSL certificates for vCenter Server and ESXi with CA signed SSL certificates helpsensure security.

Create the OpenSSL Configuration FilesEach of the six vCenter components requires a unique certificate. On the component for which you generatethe certificates, create a folder in which you can store the certificates.

NOTE Each SSL Certificate needs a unique Distinguished Name (DN). The following examples use theOrganizationalUnitName (OU) field to achieve this uniqueness, based on a configuration where allcomponents are installed on the same server. If the services are on separate servers, they have a unique DNby default.

For improved security, create the configuation files and generate the keys on the machine running the service.

Prerequisites

n You have a vSphere 5.1 environment.

n The environment has been pre-installed for all components for which you will be installing certificates.

n OpenSSL 0.9.8 has been installed in the default directory (C:\OpenSSL-Win32). If it has been installedelsewhere, substitute the alternate location appropriately.

Procedure

1 Create the OpenSSL Configuration File for the Inventory Service on page 8

2 Create the OpenSSL Configuration File for vCenter Single Sign-On on page 9

3 Create the OpenSSL Configuration File for vCenter Server on page 10

4 Create the OpenSSL Configuration File for the vSphere Web Client on page 11

5 Create the OpenSSL Configuration File for the VMware Log Browser on page 12

6 Create the OpenSSL Configuration File for vSphere Update Manager on page 13

Chapter 1 About vCenter and ESXi Certificates

VMware, Inc. 7

Create the OpenSSL Configuration File for the Inventory Service

Procedure

1 On the machine running the Inventory Service, create a file in C:\certs named inventoryservice.cfg.

2 Add the required information to the configuration file.

Change the information in italics to match your environment.

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment,

dataEncipherment

extendedKeyUsage = serverAuth,clientAuth

subjectAltName = DNS: server.domain.com,

DNS: ServerShortName,

IP: ServerIPAddress

[ req_distinguished_name ]

countryName = Country

stateOrProvinceName = State

localityName = City

0.organizationName = Company Name

organizationalUnitName = vCenterInventoryService

commonName = server.domain.com

What to do next

Generate the Certificate Request.

Generate Certificate Request for Inventory Service

After you have configured OpenSSL, generate a certificate request.

Procedure

1 Open a command prompt on the machine running the Inventory Service and navigate to the OpenSSLdirectory.

By default, this directory is in C:\OpenSSL-Win32\bin.

2 Run the following command to create the Inventory Service certificate request and export the private key.

openssl req -new -nodes

-out c:\certs\rui.csr

-keyout c:\certs\rui-orig.key

-config c:\certs\inventoryservice.cfg


8 VMware, Inc.

3 Convert the key to be in the proper RSA format for the Inventory Service.

openssl rsa

-in c:\certs\rui-orig.key

-out c:\certs\rui.key

The configuration subdirectory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vCenter Single Sign-On

Procedure

1 On the machine running Single Sign-On, create a file in C:\certs named sso.cfg.



[ req ]

default_bits = 2048



encrypt_key = no

prompt = no



[ v3_req ]



dataEncipherment

extendedKeyUsage = serverAuth, clientAuth



IP: ServerIPAddress




localityName = City


organizationalUnitName = vCenterSSO


What to do next

Generate the certificate request.

Generate Certificate Requests for Single Sign-On

After you have configured OpenSSL, generate a certificate request for Single Sign-On.

Procedure

1 On the machine running Single Sign-On open a command prompt and navigate to the OpenSSL directory.



VMware, Inc. 9

2 Run the following command to create the Single Sign-On certificate request and export the private key.

openssl req -new -nodes -out c:\certs\rui.csr -keyout c:\certs\rui-orig.key -config

c:\certs\sso\sso.cfg


openssl rsa

-in c:\certs\InventoryService\rui-orig.key

-out c:\certs\InventoryService\rui.key

openssl rsa -in c:\certs\rui-orig.key -out c:\certs\rui.key

Each certificates directory for Single Sign-On contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vCenter Server

Procedure

1 On the machine running vCenter Server, create a file in C:\certs named vcenter.cfg.



[ req ]

default_bits = 2048



encrypt_key = no

prompt = no



[ v3_req ]



dataEncipherment




IP: ServerIPAddress




localityName = City


organizationalUnitName = vCenterServer


What to do next



10 VMware, Inc.

Generate Certificate Requests for vCenter Server

After you have configured OpenSSL, generate a certificate request for vCenter Server.

Procedure

1 On the machine running vCenter Server, open a command prompt and navigate to the OpenSSL directory.


2 Run the following command to create the vCenter Server certificate request and export the private key.


c:\certsvcenter.cfg



Each vCenter Server certificate directory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for the vSphere Web Client

Procedure

1 On the machine running the vSphere Web Client, create a file in C:\certs called webclient.cfg.



[ req ]

default_bits = 2048



encrypt_key = no

prompt = no



[ v3_req ]



dataEncipherment




IP: ServerIPAddress




localityName = City


organizationalUnitName = vCenterWebClient


What to do next

Create the certificate request.


VMware, Inc. 11

Generate Certificate Requests for the vSphere Web Client

After you have configured OpenSSL, generate a certificate request for the vSphere Web Client

Procedure

1 On the machine running the vSphere Web Client, open a command prompt and navigate to the OpenSSLdirectory.


2 Run the following command to create the vSphere Web Client certificate request and export the privatekey.


c:\certs\webclient.cfg

3 Convert the key to be in the proper RSA format for the vSphere Web Client.


The certs directory for the vSphere Web Client contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for the VMware Log Browser

Procedure

1 On the machine running the VMware Log Browser, create a file in C:\certs named LogBrowser.cfg.



[ req ]

default_bits = 2048



encrypt_key = no

prompt = no



[ v3_req ]



dataEncipherment




IP: ServerIPAddress




localityName = City


organizationalUnitName = vCenterLogBrowser



12 VMware, Inc.

What to do next


Generate Certificate Requests for the Log Browser

After you have configured OpenSSL, generate a certificate request for the Log Browser

Procedure

1 On the machine running the log broswer, open a command prompt and navigate to the OpenSSL directory.


2 Run the following command to create the Log Browser certificate request and export the private key.


c:\certs\LogBrowser\logbrowser.cfg



The log browser certs directory contains rui.csr, and rui.key.

Create the OpenSSL Configuration File for vSphere Update Manager

Procedure

1 On the machine running vSphere Update Manager, create a file in C:\certs named UpdateManager.cfg.



[ req ]

default_bits = 2048



encrypt_key = no

prompt = no



[ v3_req ]



dataEncipherment




IP: ServerIPAddress




localityName = City


organizationalUnitName = VMwareUpdateManager



VMware, Inc. 13

What to do next

Generate the certificate requests.

Generate Certificate Requests

After you have configured OpenSSL, generate a certificate request for each component.

Prerequisites

n Verify that you created and configured the required OpenSSL configuration files.


n The environment has been pre-installed for all components for which you will be installing certificates.

n OpenSSL v1.0.1c (or later) package has been installed in the default directory (C:\OpenSSL-Win32). If ithas been installed elsewhere, substitute the alternate location appropriately.

Procedure

1 Open a command prompt and navigate to the OpenSSL directory.


2 Run the following command to create the Inventory Service certificate request and export the private key.

openssl req -new -nodes

-out c:\certs\InventoryService\rui.csr

-keyout c:\certs\InventoryService\rui-orig.key

-config c:\certs\InventoryService\inventoryservice.cfg


openssl rsa

-in c:\certs\InventoryService\rui-orig.key

-out c:\certs\InventoryService\rui.key

4 Run the following commands to create the vCenter Single Sign-On certificate request, export the privatekey, and convert the key to RSA format.

openssl req -new -nodes -out c:\certs\sso\rui.csr -keyout c:\certs\sso\rui-orig.key -config

c:\certs\sso\sso.cfg

openssl rsa -in c:\certs\sso\rui-orig.key -out c:\certs\sso\rui.key

5 Run the following commands to create the vCenter Server certificate request, export the private key, andconvert the key to RSA format.

openssl req -new -nodes -out c:\certs\vCenter\rui.csr -keyout c:\certs\vCenter\rui-orig.key -

config c:\certs\vCenter\vcenter.cfg

openssl rsa -in c:\certs\vCenter\rui-orig.key -out c:\certs\vCenter\rui.key

6 Run the following commands to create the vSphere Web Client certificate request, export the private key,and convert the key to RSA format.

openssl req -new -nodes -out c:\certs\WebClient\rui.csr -keyout c:\certs\WebClient\rui-

orig.key -config c:\certs\WebClient \webclient.cfg

openssl rsa -in c:\certs\WebClient\rui-orig.key -out c:\certs\WebClient\rui.key


14 VMware, Inc.

7 Run the following commands to create the vSphere Log Browser certificate request, export the privatekey, and convert the key to RSA format.

openssl req -new -nodes -out c:\certs\LogBrowser\rui.csr -keyout c:\certs\LogBrowser\rui-

orig.key -config c:\certs\LogBrowser\logbrowser.cfg

openssl rsa -in c:\certs\LogBrowser\rui-orig.key -out c:\certs\LogBrowser\rui.key

8 Run the following commands to create the vSphere Update Manager certificate request, export the privatekey, and convert the key to RSA format .

openssl req -new -nodes -out c:\certs\UpdateManager \rui.csr -keyout

c:\certs\UpdateManager\rui-orig.key -config c:\certs\UpdateManager\updatemanager.cfg

openssl rsa -in c:\certs\UpdateManager\rui-orig.key -out c:\certs\UpdateManager\rui.key

Each configuration subdirectory contains rui.csr, and rui.key.

What to do next

Get the certificate from the signing Certificate Authority.

Get the SSL CertificateAfter the certificate request is created, send the request to the certificate authority to generate the actualcertificate. The authority returns a certificate and, if appropriate, a copy of the authority's root certificate.

Prerequisites

You must have a certificate request in each system where a component resides, and the correct certificaterequest in the system for the component in the system.

For example, in a system that contains both vCenter Single Sign-On and a vCenter Server, you should have acertificate request for vCenter Single Sign-On on the machine where Single Sign-On is located, and a separatecertificate request for the vCenter Server on the machine on which vCenter Server resides.

Procedure

u If you use a commercial Certificate Authority, generate the request to send to the Certificate Authority.

a Send the rui.csr file to the appropriate certificate authority.

b After the authority sends your generated certificate, install the root certificate onto thevCenter Server.

c Repeat these steps for each certificate request that you generated.

If you use Microsoft CA (2003 or later), create the request.

NOTE Based on the requirements of the key, ensure that the WebServer Template has been copied to allowfor encryption of user data. Select Certificate Manager > Extensions > Key Usage > Allow encryption ofuser data to generate the request.

a Browse to your Microsoft Certificate Authority Web site, and select Request a Certificate.

b Select Advanced Certificate Request and select Submit a certificate request using a base-64-encodedCMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

c Open the rui.csr file with a text editor, copy the contents of the file (including the beginning andending tags), and paste the contents of the rui.csr file into the Saved Request area.


VMware, Inc. 15

d Select the Certificate Template as the Web Server template and click Submit.

The Web Server template includes Subject Alternative Names (required for vCenter Server, optionalfor ESXi). You might have to modify the template to include this parameter.

e Select Download Certificate and save the certificate as rui.crt in the appropriatec:\certs\service folder.

f Repeat steps a. through e. for each certificate request that you generated.

g Navigate back to the home page of the certificate server and click Download a CA certificate,certificate chain or CRL.

h Select the Base 64 option, and select Download CA Certificate chain.

i Save the certificate chain as cachain.p7b. in the c:\certs folder on the system where it will be usedto change from the existing SSL certificate.

j Double-click the cachain.p7b file, and navigate to C:\certs\cachain.p7b\Certificates .

k Right-click on the certificate listed, and select All Actions > Export, and click Next.

l Select Base-64 encoded X.509 (.CER), and click Next.

m Save the export at C:\certs\Root64.cer and click Next.

n Click Finish.

o Double-click the rui.crt file and validate that the proper alternative names and subjects are in eachcertificate.

When complete, the certificates are generated and you have the rui.key and rui.crt for each service and theRoot64.cer root certificate.

What to do next

Create the PFX for each component.

Create the PFX FilesThe rui.pfx file is a concatenation of the system’s certificate (rui.crt) and private key (rui.key), exported in thePFX format. The file is copied to the subdirectory on the vCenter Server system.

Personal Information Exchange Format (PFX) enables transfer of certificates and their private keys from onecomputer to another or to removable media. The Microsoft Windows CryptoAPI uses the PFX format, alsoknown as PKCS #12.

Procedure

1 On the system where you generated the certificate-signing request (by default this is C:\OpenSSL-Win32\bin), type the following command to create the rui.pfx file for the Inventory service.

openssl pkcs12 -export -in c:\certs\InventoryService\rui.crt -inkey

c:\certs\InventoryService\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout

pass:testpassword -out c:\certs\InventoryService\rui.pfx

IMPORTANT You must use the password testpassword.

2 On the machine running Single Sign-On, type the following command to create the rui.pfx file.

openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui.key -certfile

c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\rui.pfx


16 VMware, Inc.

3 On the machine running vCenter Server, type the following command to create the rui.pfx file.

openssl pkcs12 -export -in c:\certs\rui.crt -inkey c:\certs\rui-orig.key -certfile


4 On the machine running the vSphere Web Client, type the following command to create the rui.pfx file.



5 On the machine running the Log Browser, type the following command to create the rui.pfx file.



6 On the machine running vSphere Update Manager, type the following command to create the rui.pfx file.



7 Verify that a base 64-encoded string or characters are displayed with information about the PFX file.

To test the encoding, type openssl pkcs12 -in c:\certs\service\rui.pfx -info.

NOTE When prompted use testpassword for both the password and passphrase. If the PFX file is notvalid, you cannot proceed with the certificate replacement process. A valid PFX file is required.

What to do next

Create the JKS files.

Create the JKS FileAfter the PFX files are created you can create the Java Keystore file (JKS) for use with the configuration.

Procedure

1 Open a command prompt on the system with Single Sign-On installed.

2 Navigate to the the C:\Program Files\VMware\Infrastructure\jre\bin\ directory.

3 Run the following command to create root-trust.jks.

keytool -v -importkeystore -srckeystore C:\certs\rui.pfx -srcstoretype pkcs12 -srcstorepass

testpassword -srcalias rui -destkeystore C:\certs\root-trust.jks -deststoretype JKS -

deststorepass testpassword -destkeypass testpassword

4 After it has been created, the JKS file needs to have the root certificate added to it with the alias root-ca.To add the root certificate, type the following command.

keytool -v -importcert -keystore C:\certs\sso\root-trust.jks -deststoretype JKS -storepass

testpassword -keypass testpassword -file c:\certs\Root64.cer -alias root-ca

5 When prompted to trust this certificate, type yes. You should now see the message Certificate was addedto the keystore.


VMware, Inc. 17

6 Any intermediate certificates in the certificate chain must be added to the JKS file by typing the followingcommand for each Intermediate CA Certificate.

keytool -v -importcert -noprompt -trustcacerts -keystore C:\certs\root-trust.jks -

deststoretype JKS -storepass testpassword -keypass testpassword -file C:\certs\intercacert.cer

-alias intermediate-hash.0

where intercacert is the certificate for the intermediate CA and hash is the hash generated by opensslcommand openssl x509 -subject_hash -noout -in c:\certs\intercacert.cer

7 Verify that the certificates have been imported successfully by typing the following command.

keytool -list -v -keystore c:\certs\root-trust.jks.

8 Copy c:\certs\root-trust.jks to c:\certs\server-identity.jks.

You now have all of the files required to implement custom SSL certificates. Copy the c:\certs folder to thevCenter Server if all services are running on a single server. Otherwise, copy the respective certificates to theappropriate servers.

What to do next

n On the system where you generated the certificate-signing request, back up the existing default certificates.

n In a safe location, back up the newly created certificate files.

Replacing Default vCenter and ESXi CertificatesReplacing default SSL certificates for vCenter Server and ESXi with CA signed SSL certificates helps ensuresecurity.

To help you protect your vCenter Server and ESXi™ installation, you can replace default certificates withcertificates signed by a certificate authority.

Replace Default vCenter Server SSL CertificatesWhen you install vCenter components such as vCenter Single Sign-On and the vSphere Web Client, the installergenerates SSL certificates for each service by default. vCenter Single Sign-On uses the certificates for SSLhandshakes and to authenticate solution users. The default certificates are not signed by a commercialcertificate authority (CA).

vCenter services that interact with vCenter Single Sign-On and the Lookup Service include the InventoryService, vCenter Server, and the vSphere Web Client. Each of these services has an identity which is used tocreate x509 certificates.

Procedure

1 Replace vCenter Single Sign-On Certificates on page 19You can replace the SSL certificates for vCenter Single Sign-On and the Lookup Service.

2 Replace Inventory Service SSL Certificates on page 22The Inventory Service is installed with vCenter Single Sign-On and stores vCenter Server applicationand inventory data. The Inventory Service lets you search and access inventory objects across the vCenterServer systems that are registered with the Lookup Service. You can replace the SSL certificate for theInventory Service.

3 Replace vCenter Server SSL Certificates on page 23Replace default certificates with those signed by an internal certificate authority or public keyinfrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercial securityauthority.


18 VMware, Inc.

4 Replace the vSphere Web Client and Log Browser SSL Certificate on page 25You can replace or update the vSphere Web Client and Log Browser SSL certificates. Replace bothcertificates at the same time.

5 Update SSL Certificates for vCenter Single Sign On Server Behind a Load Balancer on page 26When a deployment of vCenter Single Sign-On server systems is located behind a load balancer, it is notnecessary to update the Lookup Service entries for the Security Token Service (STS), SSO Admin, andGroup Check services. You need only toupdate the SSL certificate of a vCenter Single Sign-On systembehind that load balancer.

6 Replacing SSL Certificates on vCenter Server Appliance on page 27So far, this task describes of replacing CA signed SSL certificates on a vCenter Server. The task is quitedifferent for replacing SSL certificates on a vCenter Server Appliance.

7 Replace VMware vSphere Update Manager Certificates on page 27You can replace vSphere Update Manager certificates.

Replace vCenter Single Sign-On Certificates

You can replace the SSL certificates for vCenter Single Sign-On and the Lookup Service.

The vCenter Single Sign-On installer also deploys the VMware Lookup Service on the host. The Lookup Serviceenables different components of vSphere to find one another in a secure way. When you install vSpherecomponents after vCenter Single Sign-On, you must provide the Lookup Service URL. The Inventory Serviceand the vCenter Server installers ask for the Lookup Service URL and then contact the Lookup Service to findvCenter Single Sign-On. After installation, the Inventory Service and vCenter Server are registered in LookupService so other vSphere components, like the vSphere Web Client, can find them.

Prerequisites

n Verify that you have administrator privileges on the vCenter Single Sign-On system.

n Verify that the Windows Environmental variable JAVA_HOME is set to JAVA_HOME=C:\ProgramFiles\VMware\Infrastructure\jre

n If you have not already done so, obtain the certificate files (including the certificate, private key, andkeystore). See the following procedures:

n Edit the OpenSSL Configuration File

n Create and Submit Certificate-Signing Requests

n “Create the PFX Files,” on page 16

n “Create the JKS File,” on page 17

n The root certificate (root64.cer) has been imported into the local computer trust store.

Procedure

1 If necessary, copy the certificate files (rui.crt, rui.key, rui.pfx, root-trust.jks and server-identity.jks) to the system where vCenter Single Sign-On is installed.

2 Open a terminal window on the system where Single Sign-On is installed, and run the following commandto list all service entries from the Lookup Service.

SSO install directory\ssolscli\ssolscli.cmd listServices Lookup Service URL

where the lookup service URL is Lookup Service URL is https://SSOserver.domain.com:7444/lookupservice/sdk.

3 Locate the following services: Group Check, SSO Admin, and Security Token Service (STS).

You can identify the service by looking at the type field.


VMware, Inc. 19

Service Type

Group Check urn:sso:groupcheck

SSO Admin urn:sso:admin

Security Token Service (STS) urn:sso:sts

4 Use a text editor to create a properties file for each of service.

The following examples show what each file should look like.

sts.properties file

[service]

friendlyName=STS for Single Sign-On

version=1.0

ownerId=

type=urn:sso:sts

description=The Security Token Service of the Single

Sign-On server.

[endpoint0]

uri=https://SSOserver.domain.com:7444/ims/STSService

ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer

protocol=wsTrust

gc.properties file

[service]

friendlyName=The group check interface of the Single Sign-On server

version=1.0

ownerId=

type=urn:sso:groupcheck

description=The group check interface of the Single Sign-On server

[endpoint0]

uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk


protocol=vmomi

admin.properties file

[service]

friendlyName=The administrative interface of the Single Sign-On server

version=1.0

ownerId=

type=urn:sso:admin

description=The administrative interface of the Single Sign-On server

[endpoint0]

uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk


protocol=vmomi

5 Locate the serviceId for each service, and use a text editor to create a separate service ID file for eachservice.

The service ID is located in the serviceId field of the service listing. For example, the service ID file(serviceid_sts) takes the following form.

{D46D4BFD-CC5B-4AE7-87DC-5CD63A97B194}:7


20 VMware, Inc.

The file cannot contain any other data.

6 Stop the Single Sign-On server.

7 Update Single Sign-On with the new keystore using the following command, where --keystore-file isthe path to the JKS file:

SSO install directory\utils\ssocli configure-riat -a configure-ssl --keystore-file

C:\ProgramData\VMware\SSOCERTS\root-trust.jks --keystore-password testpassword

NOTE Ensure that the JAVA_HOME variable is still set to JAVA_HOME=C:\ProgramFiles\VMware\Infrastructure\jre

8 When you are prompted, type the master password that was configured during the installation of vCenterSingle Sign-On.

9 Start the Single Sign-On server service from the Services applet.

To validate that the certificate is correct, open a browser and navigate to https://ssoserver.domain.com:7444/sso-admin-server/sdk.

10 For each service, run the following command.

SSO install directory\utils\ssolscli updateService -d Lookup Service URL -u sso

administrator -p sso administrator password -si serviceid_file -ip service.properties

11 Log in to the vCenter Single Sign-On Server.

In this example, the files are located in C:\certs.

12 Copy the root certificate from the certification authority to the VMware SSL directory.

For example, copy the C:\certs\Root64.cer file to C:\ProgramData\VMware\SSL\. This certificate is the rootcertificate for the certification authority which is being used.

13 Rename the current ca_certificates.crt to ca_certificates.bak, and then rename Root64.cer toca_certificates.crt.

14 Type the following command to compute the hash.

openssl x509 -subject_hash -noout -in c:\certs\Root64.cer

The valid hash is returned.

15 Create a file named hash.0 using the hash returned in the previous step.

The content of the file should contain the certificate in which hash is used for the name of the file.

IMPORTANT The hash must be created with OpenSSL v0.9.8, as this is the version which vCenter uses. Ifcreated with another version the hash might not be correct.

16 Repeat this task for other intermediary Certificate Authorities.

If there are intermediate certificate authorities, there will be a file for each intermediate authority with thecontent of the intermediate certificate in the file. If you are using intermediate certificate authorities, youalso need to append each certificate authority to the ca_certificates.crt file. To do this run the followingcommand:

more intermediateCA.cer >> ca_certificates.crt

where intermediateCA is the certificate for the intermediate CA. Repeat this step for each intermediate CAthat is in the certificate chain.

17 Navigate to the SSO Install directory\security.

18 Backup root-trust.jks and server-identity.jks.


VMware, Inc. 21

19 Copy the new root-trust.jks and server-identity.jks. If you have been following the example in thisdocument, these will be located in C:\ProgramData\VMware\SSOCERTS.

20 Log into the vSphere Web Client as admin@system-domain.

21 Navigate to Administration > Sign-On and Discovery > Configuration, and click the STS Certificate tab.

22 Click Edit.

23 Click Browse and navigate to the SSO Security Directory. Select root-trust.jks.

24 When prompted, enter testpassword as the password and click OK. The rui key chain appears in theinterface.

25 Select rui and click OK.

26 When prompted for the password, enter testpassword.

Another chain is added, and the certificate is available in the GUI.

NOTE If you encounter the error message An error ocurred while updating server configuration, thismay indicate that the certificate chain was not fully exported. For more information, see step 20 in Gettingthe certificate section in Creating certificate requests and certificates for vCenter Server 5.1 components(KB 2037432), which outlines steps to export and concatenate multiple certificates.

Alternatively, to add it to the GUI, you can add the JKS file by running the following command linecommand.ssocli.cmd configure-riat -a configure-sts --keystore-file C:\Program

Files\VMware\Infrastructure\SSOServer\Security\root-trust.jks --keystore-type JKS --keystore-

password testpassword -u admin -p master password

27 Restart the vCenter Single Sign-On server.

The SSL certificate for vCenter Single Sign-On (including the Security Token Service, the SSO Admin service,Group Check, and the Lookup Service) is updated.

NOTE If you replace the signing certificates of your Single Sign-On server and the signing chain is signed bydifferent root certificate than the signing chain that you replaced, you must update the trust to this Single Sign-On server in all vCenter Servers that point to it and restart them.

What to do next

Install the customer SSL certificates for the Inventory Service.

Replace Inventory Service SSL Certificates

The Inventory Service is installed with vCenter Single Sign-On and stores vCenter Server application andinventory data. The Inventory Service lets you search and access inventory objects across the vCenter Serversystems that are registered with the Lookup Service. You can replace the SSL certificate for the InventoryService.

Prerequisites

Obtain certificate files (including the certificate, private key, and keystore) as described in the followingprocedures:


n Create and Submit Certificate-Signing Requests for vCenter Server

n Create the PFX file

n Create the JKS file


22 VMware, Inc.

Procedure

1 Log in to the Inventory Service server as an administrator.

2 If you have not imported it, double-click the c:\certs\Root64.cer file, and import the certificate into theTrusted Root Certificate Authorities > Local Computer Windows certificate store.

This action ensures that the certificate server is trusted.

3 From a command prompt located at the Inventory Service\scripts directory (by default, this is locatedat C:\Program Files\VMware\Infrastructure\Inventory Service\scripts), unregister the InventoryService from vCenter Single Sign-On.

Type unregister-sso.bat Lookup_Service_URL SSO_administrator_user SSO_administrator_password

Where the Lookup Service URL is https://cssoserver.domain.com:7444/lookupservice/sdk/. Change the portif needed.

4 Stop the vCenter Inventory Service.

5 Copy the new certificate files to the system where there Inventory Service is installed.

Previous examples used c:\certs to store the new certificates. The certificates directory is typicallyC:\ProgramData\VMware\Infrastructure\Inventory Service\ssl

6 Start the vCenter Inventory Service.

7 Validate the register-sso.bat file.

a Change to the Inventory Service scripts directory.

b Open the register-sso.bat file and validate that the following line in the file is correct.

set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --

password "%3" --install-props "%PATH_ROOT%/conf/sso.ini"

this line should be

set COMMAND="%PATH_ROOT%/sso/regTool.cmd" registerSolution --ls-url %1 --username "%2" --

password "%3" --install-props "%PATH_ROOT%/conf/sso.ini" --role read

In the vCenter 5.1 GA release, the --role read parameter was not included and will cause the commandto fail.

8 Register vSphere Inventory Service to vCenter Single Sign-On by running the following command.

register-sso.bat Lookup_Service_URL SSO_administrator user SSO_administrator_password

Replace vCenter Server SSL Certificates

Replace default certificates with those signed by an internal certificate authority or public key infrastructure(PKI) service. Alternatively, purchase a certificate from a trusted commercial security authority.

When you replace default server certificates in a production environment, deploy new certificates in stages,rather than all at the same time. Make sure that you understand the process as it applies to your environmentbefore you replace certificates.

Prerequisites

n You requested and received the CA signed certificates from the signing authority.

n You stored the new CA signed certificates in c:/certs.

Procedure

1 Log in to vCenter Server as an administrator.


VMware, Inc. 23

2 If you have not already imported the root certificate, double click on the c:\certs\Root64.cer file.

3 Select Trusted Root Certificate Authorities > Local Computer > Windows certificate store, and importthe certificate from the list of certificates.

This action ensures that the certificate server is trusted.

4 Back up the existing certificates and copy the new certificate, private key, and keystore files (for example,rui.crt, rui.key, and rui.pfx) to the system where vCenter Server is installed.

The certificates typically are located in the following directory.

Operating System Directory

Windows Server 2008 C:\ProgramData\VMware\VMware VirtualCenter\ssl

Windows Server 2003 C:\Documents and Settings\All Users\Application Data\VMware\VMwareVirtualCenter\ssl

If you follow the example, the newly created certificate is in c:\certs\vCenter.

5 Open rui.crt in a text editor, and validate that the first line of the file begins with -----BEGINCERTIFICATE-----.

Remove any text that is in front of this text. Extra text will cause validation failure.

6 Use the Managed Object Browser to load the certificates.

a Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server.

If you are prompted with a certificate warning, click Continue.

b Enter a vCenter Server administrator user name and password, and click reloadSslCertificate.

c Click Invoke Method.

You see the message Method Invocation Result: void.

d Close both windows.

7 From a command prompt on vCenter Server, navigate to the isregtool directory (by default, C:\ProgramFiles\VMware\Infrastructure\VirtualCenter Server\isregtool).

8 Register the vCenter Server to the Inventory Service by typing the following command.

register-is.bat vCenter Server URL Inventory Service URL SSO Lookup Service URL

The return code of 0 0 indicates that the vCenter Server was registered.

9 Navigate to the vCenter Server directory (by default, this is C:\ProgramFiles\VMware\Infrastructure\VirtualCenter Server\), and type the following command.

vpxd -p

To encrypt the password with the new certificate, type the password of the vCenter Server database userwhen prompted.

10 Restart the following services.

n From the service control manager (services.msc), restart VMware VirtualCenter Server service

n Restart the VMware vSphere Profile Driven Storage Service.

After the initial restart of the services, wait for five minutes. If the VMware vSphere Profile Driven Storageservice stops during this time, restart it.

vCenter Server replaces the certificate.


24 VMware, Inc.

What to do next

Replace the vSphere Web Client and Log Browser SSL Certificates.

Replace the vSphere Web Client and Log Browser SSL Certificate

You can replace or update the vSphere Web Client and Log Browser SSL certificates. Replace both certificatesat the same time.

Prerequisites

n You have a vSphere 5.1 environment

n All certificates and corresponding files are generated

Procedure

1 Log in to the vSphere Web Client server as an administrator.

NOTE If you are using a Self-Signed Certificate from OpenSSL, you import the certificate when loggingin to vCenter Server for the first time.

2 If you have not imported it, double-click on the Root64.cer file (located in c:\certs\ in these examples)and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windowscertificate store.

3 Log in to the vSphere Web Client server as an administrator.

4 From the service control manager (services.msc), stop the following services.

n VMware vSphere Web Client service

n VMware Log Browser service

5 Open a command prompt. and go to the Web Client\scripts directory.

The default directory is C:\Program Files\VMware\Infrastructure\vSphere Web Client\scripts.

6 Back up the existing certificates and copy the new certificate, private key, and keystore files (for example,rui.crt, rui.key, and rui.pfx) to the system where the vSphere Web Client and Log Broware are installed.

a Back up and replace the current certificates for the vSphere Web Client.

Operating System Directory

Windows Server 2008 C:\ProgramData\VMware\vSphere Web Client\ssl

Windows Server 2003 C:\Documents and Settings\All Users\Application Data\VMware\vSphereWeb Client\ssl

b Back up and replace the current certificates for the Log Browser.

By default, the certificates are located in C:\ProgramFiles\VMware\Infrastructure\vSphereWebClient\logbrowser\conf. In the example, the newcertificates are located in c:\certs\logbrowser

7 If you have not done so, set the JAVA_HOME environment variable by opening a command prompt andtyping the following.

set JAVA_HOME=c:\Program Files\VMware\Infrastructure\JRE

8 From the SsoRegTool directory (by default C:\Program Files\VMware\Infrastructure\vSphere WebClient\SsoRegTool\), unregister the vSphere Web Client from Single Sign-On by running the followingcommand.

regTool.cmd unregisterService -si "Installation Directory\vSphereWebClient\serviceId" -d

https://SSOServer.domain.com:7444/lookupservice/sdk -u admin@System-Domain -p password


VMware, Inc. 25

9 Register the vSphere Web Client back to vCenter Single Sign-On by typing the following commands.

Operating System Command

Windows 2008 regTool.cmd registerService --cert "C:\ProgramData\VMware\vSphere Web Client\ssl" --ls-urlhttps://SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir"InstallationDirectory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*"--serviceId-file "InstallationDirectory\vSphereWebClient\serviceId"

Windows 2003 regTool.cmd registerService --cert "C:\Documents andSettings\All Users\Application Data\VMware\vSphere WebClient\ssl" --ls-url https:// SSOServer.domain.com:7444/lookupservice/sdk --username admin@System-Domain --password password --dir "InstallationDirectory\vSphereWebClient\SsoRegTool\sso_conf" --ip "*.*"--serviceId-file "InstallationDirectory\vSphereWebClient\serviceId"

10 From Installation Directory\vSphereWebClient\, open the serviceId file, and remove the two service

ID lines from the now-replaced certificate.

The file should contain only the two new service IDs.

11 From the service control manager, start the VMware Web Client service and the vSphere Log Browserservice.

This can take up to five minutes. To verify the success of this task, log in to the vSphere Web Client andcheck that the Inventory is accessible and that the certificate is properly installed.

12 Stop and restart the services.

n stop the VMware Log Browser Service.

n stop the VMware vSphere Web Client Service.

n stop the VMware vCenter Server Service.

n stop the VMware vCenter Inventory Service.

n stop the vCenter Single Sign On Service.

n start the vCenter Single Sign On Service.

n start the VMware vCenter Inventory Service.

n start the VMware vCenter Server Service and the VMware vCenter Management WebServices service.

n start the VMware vSphere Web Client Service.

n start the VMware Log Browser Service.

What to do next

Replace the certificates ont her vSphere Update Manager.

Update SSL Certificates for vCenter Single Sign On Server Behind a Load Balancer

When a deployment of vCenter Single Sign-On server systems is located behind a load balancer, it is notnecessary to update the Lookup Service entries for the Security Token Service (STS), SSO Admin, and GroupCheck services. You need only toupdate the SSL certificate of a vCenter Single Sign-On system behind thatload balancer.

NOTE You must include the full certificate chain.


26 VMware, Inc.

Prerequisites

Obtain certificate files (including the certificate, private key, and keystore) as described in the followingprocedures:


n Create and Submit Certificate-Signing Requests for vCenter Server

n Create the PFX file

n Create the JKS file

Procedure

1 If they are not already there, copy the certificate files (for example, rui.crt, rui.key, and rui.pfx) to thesystem where vCenter Single Sign-On is installed.

2 Stop the Single Sign-On server.

3 Update Single Sign-On with the new keystore using the following command.

SSO installation directory\utils\ssocli configure-riat -a configure-ssl --keystore-file file

--keystore-password password

4 Start the Single Sign-On Server.

What to do next

Depending on how your load balancing software is configured, you might also be required to update the loadbalancer's certificate trust store to contain the new certificate. This enables trusted SSL connections betweenthe load balancer and Single Sign-On servers.

Replacing SSL Certificates on vCenter Server Appliance

So far, this task describes of replacing CA signed SSL certificates on a vCenter Server. The task is quite differentfor replacing SSL certificates on a vCenter Server Appliance.

If you replace CA signed SSL certificates on a vCenter Server Appliance, see the KB article Configuringcertificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744).

For all services that contact vCenter Single Sign-On and that are not on the same machine, update the truststores with the new SSL certificate. These services include the vSphere Web Client and the Inventory Service.See “Update the Certificate Trust Store for vCenter Server Components,” on page 33.

ReplaceVMware vSphere Update Manager Certificates

You can replace vSphere Update Manager certificates.

Prerequisites


n The certificates have been requested and received.

n You have administrator privileges on the Update Manager system.

Procedure

1 Log in to the vSphere Update Manager server as an administrator.

2 If you have not imported it, double-click the Root64.cer file.

3 Select Trusted Root Certificate Authorities > Local Computer, and import the certificate into theWindows certificate store.

If you follow the example, this file is located in c:\certs.


VMware, Inc. 27

http://kb.vmware.com/kb/2036744


4 Back up the existing Update Manager certificates.

If you follow the example, the certificate files are located in c:\certs\Update Manager.

By default, vSphere Update Manager stores its certificates in the C:\Program Files(x86)\VMware\Infrastructure\Update Manager\SSL directory.

5 Copy the new certificate files (rui.crt, rui.key, and rui.pfx) into the Update Manager SSL directory.

6 From the services control manager, (services.msc), stop the vSphere Update Manager service.

7 Start the VMwareUpdateManagerUtility.exe application and log in.

By default, it is located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager.

NOTE If the system becomes unresponsive and fails, and if vCenter Server is on the same system as vSphereUpdate Manager, use 127.0.0.1:80 as the address for vCenter Server.

8 In the Options pane, click SSL Certificate.

9 In the Configuration pane, select Followed and verified the steps and click Apply.

10 When the message Restart the VMware vSphere Update Manager service to apply the setting appears,click OK.

11 After the operation finishes, start the VMware vSphere Update Manager service.

What to do next

Verify that you can access Update Manager without receiving certificate-related warnings.

Replacing Default SSL Certificates on ESXiVMware recommends that you replace default certificates with those signed by an internal certificate authorityor public key infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted commercialsecurity authority.

NOTE Use commercially signed certificates for systems that are exposed to the Internet.

When you replace default server certificates in a production environment, deploy new certificates in stages,rather than all at the same time. Make sure that you understand the process as it applies to your environmentbefore you replace certificates.

ESXi Certificates: Before You Begin

Ensure that your environment has the required software installed before you begin replacing default ESXicertificates.

n Microsoft CA (2000 or higher), with Web Server template

n Microsoft Visual C++ 2008 Redistributable Package (x86) installed on the system where you will generatethe certificate-signing request

n OpenSSL 0.98r or higher installed on the system where you will generate the certificate-signing request

n Putty or other SSH client

n WinSCP or other SFTP/SCP client

n vCenter Server 5.1

n ESXi 5.1


28 VMware, Inc.

Edit the OpenSSL Configuration File

VMware products implement the OpenSSL libraries and toolkits to generate the default certificates that arecreated during installation process. You can use OpenSSL to create certificate-signing requests (CSRs).

The default OpenSSL installation includes a configuration file, openssl.cfg, located in the OpenSSL\bindirectory. Edit the configuration file with values specific to your organization.

Prerequisites

Download OpenSSL x86 version 0.98r or higher from http://www.openssl.org.

Install OpenSSL on the system where you will generate the certificate signing request.

Procedure

1 Navigate to the OpenSSL directory.

2 Edit the OpenSSL configuration file (openssl.cfg) to include details appropriate for your environment.

Parameter Value

encrypt_key no

keyUsage Must include digitalSignature and keyEncipherment. Versions prior to 5.1must also include nonRepudiation and dataEncipherment.

extendedKeyUsage serverAuth, clientAuth

common name (inreq_distinguished_name)

Name of the server that will use the certificate. Required.

subjectAltName (Subject AlternativeName)

Fully qualified domain name or host name of the vCenter Server or ESXisystem. Required for vCenter Server. Optional for ESXi. You can includemultiple DNS names in the Subject Alternative Name section to include theshort name of the host.

3 Save and close the configuration file.

Example: openssl.cfg

IMPORTANT The openssl.cfg file is made up of several sections. This example lists the three relevant key sectionsof the file. It does not reflect the entire file. You must include the entire file for use, not the example sectionsonly.

NOTE The values shown are samples only, with the exception of the input_password and output_password.It is unnecessary and not recommended for you to change the input and output password from the default(testpassword). If your organization requires that you change the default password, see “Unexpected BehaviorOccurs When You Change the rui.pfx Password,” on page 35.

[ req ]

default_bits = 2048

default_keyfile = privkey.pem


attributes = req_attributes

x509_extensions = v3_ca

input_password = testpassword

output_password = testpassword


VMware, Inc. 29

encrypt_key = no

prompt = no



[ v3_req ]


keyUsage = digitalSignature, keyEncipherment


subjectAltName = DNS:vc.homedns.org, DNS:vc50.homedns.org, DNS:vc50


countryName = US

stateOrProvinceName = California

localityName = Palo Alto

0.organizationName = VMware Inc

organizationalUnitName = IT

commonName = vc.homedns.org

emailAddress = [email protected]

Create and Submit Certificate-Signing Requests

You must generate a certificate-signing request (CSR) for each system that requires a replacement certificate.You submit the certificate-signing request to your certificate authority to obtain a base-64 encoded certificate.

See the OpenSSL documentation at http://www.openssl.org for information about OpenSSL commands andoptions.

Prerequisites

OpenSSL x86 version 0.98r or higher is installed on the system where you will create the request.

The OpenSSL configuration file (openssl.cfg) has been edited to suit your environment as described in Edit theOpenSSL Configuration File.

Procedure

1 At a command prompt, navigate into the OpenSSL directory.

By default this is C:\OpenSSL-Win32\bin.

2 Generate the certificate signing request by running the following command on the system where youinstalled OpenSSL.

openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg

3 Use the contents of the newly created rui.csr file to create a certificate request to submit to your certificateauthority.

If you are using a commercial Certificate Authority, perform the following steps to generate the request.

a Send the rui.csr file to the appropriate certificate authority.

b After the authority sends your generated certificate, install the root certificate onto the vCenter Serverbefore continuing.

If you are using Microsoft CA (2003 or higher), perform the following steps to create the request.

a Browse to your Microsoft Certificate Authority web site (typically http://servername/CertSrv/) andselect Request a Certificate.

b Select Advanced Certificate Request and select Submit a certificate request using a base-64-encodedCMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.


30 VMware, Inc.

c Open the certificate request file (rui.csr) with a text editor and copy the contents of the file (includingthe beginning and ending tags).

d Paste the contents of the rui.csr file into to the Saved Request area.

e Select the Web Servercertificate template and click Submit.

The Web Server template should include Subject Alternative Names (required for vCenter Server,optional for ESXi). You might have to modify the template to include this parameter.

If you are using an OpenSSL Self-Signed certificate, perform the following steps.

a Create the certificate using the following command.

openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt

-days 3650

b Disregard steps 4 and 5 of this task.

4 Click Base-64 encoded and then download the certificate.

Save the certificate on the desktop of the server as rui.crt.

5 If necessary, rename the certificate files to rui.crt and rui.key.

Install SSL Certificate Files to ESXi

Copy the new certificate files onto the host to replace default SSL certificates.

Procedure

1 Log in to vCenter Server and put the host in Maintenance Mode.

2 Navigate to the console of the server.

3 Press F2 to log in to the Direct Console User Interface (DCUI) as root.

4 Select Troubleshooting Options, then select Enable SSH.

5 Use WinSCP or other SFTP/SCP client to connect to the target host and change to the following directory.

/etc/vmware/ssl

6 Back up the existing default certificate files (rui.crt and rui.key).

7 Delete the existing default certificate files (rui.crt and rui.key).

8 Copy the newly generated certificate files (rui.crt and rui.key) to the target host SSLdirectory /etc/vmware/ssl.

To avoid special characters ( ̂ M) appearing in the certificate file, you must use Text Mode or ASCII Modeto transfer the files.

9 Type less rui.crt to validate that there are no extra characters such as ^M at the end of each line.

10 Log in to the target host Direct Console User Interface (DCUI) as root.

11 Select Troubleshooting Options > Restart Management Agents, and, when prompted, press F11.

12 After the management agents are restarted, log out of the Direct Console User Interface and take the hostout of maintenance mode.

Newly generated SSL certificates are loaded onto the ESXi host and default certificates have been replaced.


VMware, Inc. 31

Replace vCenter Server Heartbeat CertificatesIf you have a problem with the current certificate, or if your corporate security policy requires doing so, youcan replace default vCenter ServerHeartbeat certificates.

Prerequisites

n Install OpenSSL on the system where you will replace the certificate.

n Obtain the certificate files rui.crt, rui.key, and rui.pfx. See the following topics:


n Create and Submit Certificate-Signing Requests

n “Create the PFX Files,” on page 16

Procedure

1 Download the SSLImport.jar utility from the VMware Knowledge Base article Replacing SSL Certificatesfor vCenter Server Heartbeat 6.x (KB 2013041).

2 On the system where you will replace the Heartbeat certificate, copy the certificate (rui.crt), private key(rui.key), and the SSLImport.jar file to the JRE bin directory, which is typically in the following location.

C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\jre\bin

3 Convert the private key (rui.key) and the certificate (rui.crt) from PEM format to DER format usingOpenSSL.

a To convert the private key, run the following command.

openssl pkcs8 -topk8 -nocrypt -in rui.key -inform PEM -out key.der -outform DER

b To convert the certificate, run the following command.

openssl x509 -in rui.crt -inform PEM -out cert.der -outform DER

4 Use the following command to run the SSLImport utility.

java -jar SSLImport.jar key.der cert.der

A new keystore is created (NFKeyStore.jks) and the keystore alias (keyAlias) appears with the keystorepassword (keyPassword), as shown in the following example.

> New keystore created: NFKeyStore.jks

> Keystore-alias: keyAlias

> Keystore-password: keyPassword

5 Set the password for the keystore file (NFKeyStore.jks).

keytool -keyclone -alias "keyAlias"

-dest "nfhb_private_certificate" -keypass keyPassword

-new new password -keystore NFKeyStore.jks

-storepass keyPassword

keytool -storepasswd -new new password

-keystore NFKeyStore.jks -storepass keyPassword

keytool -delete -alias keyAlias -keystore NFKeyStore.jks

-storepass new password

6 Run the following command to stop the Heartbeat Web service.

net stop nfwebsvc


32 VMware, Inc.



7 Back up the Heartbeat SSL directory, which is typically in the following location.

C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\ssl

8 Move the NFKeyStore.jks file, key.der, and cert.der into the Heartbeat SSL directory.

C:\Program Files\VMware\VMware vCenter Server Heartbeat\SSL

9 Open the following file in a text editor.

C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\apache-

tomcat-6.0.32\conf\server.xml

10 Locate the following section and enter the keystore password as the value of the keystorePass parameter.

<Connector port="9561" protocol="HTTP/1.1" SSLEnabled="true"

...

keystoreFile="../sslNFKeyStore.jks"

keystorePass="new password"

keyAlias="nfhb_private_certificate"/>

11 Run the following command to start the Heartbeat web service.

net start nfwebsvc

The service starts and the system befins sending hearbeats.

Update the Certificate Trust Store for vCenter Server ComponentsBefore you can install the certificate for vCenter Server components, you must have a trust store for the CAsigned certificates, including the root and intermediary certification authorities.

A trust store is a directory of trusted X.509 certificates.

NOTE If you are running vCenter Server in a virtual machine, take a snapshot before starting this process toensure that you can revert to it if necessary. Delete the snapshot after the process is complete.

Prerequisites

n Verify that trusted certificates are kept in separate files, with one certificate for each file.

n Verify that certificates are in X.509 PEM format.

n Verify that certificates have names in the form hash.0 or have symbolic links to the files using that form.

hash is the hashed certificate subject name. See the OpenSSL documentation for the x.509 utility.

n Certificates are either self-signed CA root certificates or intermediate certificates whose chain is includedin the root certificate.

Procedure

1 Log in to the vCenter Single Sign-On Server.

In this example, the files are located in C:\certs.

2 Copy the root certificate from the certification authority to the VMware SSL directory.

For example, copy the C:\certs\Root64.cer file to C:\ProgramData\VMware\SSL\. This certificate is the rootcertificate for the certification authority which is being used.

3 Rename the current ca_certificates.crt to ca_certificates.bak, and then rename Root64.cer toca_certificates.crt.


VMware, Inc. 33

4 Type the following command to compute the hash.

openssl x509 -subject_hash -noout -in c:\certs\Root64.cer

The valid hash is returned.

5 Create a file named hash.0 using the hash returned in the previous step.

The content of the file should contain the certificate in which hash is used for the name of the file.

IMPORTANT The hash must be created with OpenSSL v0.9.8, as this is the version which vCenter uses. Ifcreated with another version the hash might not be correct.

6 Repeat this task for other intermediary Certificate Authorities.

If there are intermediate certificate authorities, there will be a file for each intermediate authority with thecontent of the intermediate certificate in the file. If you are using intermediate certificate authorities, youalso need to append each certificate authority to the ca_certificates.crt file. To do this run the followingcommand:

more intermediateCA.cer >> ca_certificates.crt

where intermediateCA is the certificate for the intermediate CA. Repeat this step for each intermediate CAthat is in the certificate chain.

The certificates are updated in the trust store.

Troubleshooting vCenter Server CertificatesThese topics describe some of the issues you might encounter when you work with vCenter and ESXicertificates.

New vCenter Server Certificate Does Not Appear to LoadAfter you replace default vCenter Server certificates, the new certificates might not appear to load.

Problem

When you install new vCenter Server certificates, you might not see the new certificate.

Cause

Existing open connections to vCenter Server are not forcibly closed and might still use the old certificate.

Solution

To force all connections to use the new certificate, use one of the following methods.n Restart the network stack or network interfaces on the server.

n Restart the vCenter Server service.

vCenter Server Cannot Connect to Managed HostsAfter you replace default vCenter Server certificates and restart the system, vCenter Server might not be ableto connect to managed hosts.

Problem

vCenter Server cannot connect to managed hosts after server certificates are replaced and the system isrestarted.

Solution

Log into the host as the root user and reconnect the host to vCenter Server.


34 VMware, Inc.

vCenter Server Cannot Connect to the DatabaseAfter you replace default vCenter Server certificates, you might be unable to connect to the vCenter Serverdatabase.

Problem

vCenter Server is unable to connect to the vCenter Server database after you replace default vCenter Servercertificates, and management web services do not start.

Cause

The database password must be updated in its encrypted form.

Solution

Update the database password by running the following command: vpxd -P pwd.

Cannot Configure vSphere HA When Using Custom SSL CertificatesAfter you install custom SSL certificates, attempts to enable vSphere High Availability (HA) fail.

Problem

When you attempt to enable vSphere HA on a host with custom SSL certificates installed, the following errormessage appears: vSphere HA cannot be configured on this host because its SSL thumbprint has notbeen verified.

Cause

When you add a host to vCenter Server, and vCenter Server already trusts the host's SSL certificate,VPX_HOST.EXPECTED_SSL_THUMBPRINT is not populated in the vCenter Server database. vSphere HA obtains thehost's SSL thumbprint from this field in the database. Without the thumbprint, you cannot enable vSphere HA.

Solution

1 In the vSphere Client, disconnect the host that has custom SSL certificates installed.

2 Reconnect the host to vCenter Server.

3 Accept the host's SSL certificate.

4 Enable vSphere HA on the host.

Unexpected Behavior Occurs When You Change the rui.pfx PasswordThe default password for the PFX file rui.pfx is testpassword. If you change this password, you must alsochange the default keystorePass parameter in the Tomcat configuration file.

Problem

Unexpected behavior might occur if the rui.pfx password does not match the keystorePass parameter. Forexample, you receive the error message Unable to connect to the remote server when you attempt to enablethe vCenter Server Service Status plug-in or Tomcat is not listening on TCP port 8443 as expected.

Cause

The default password for PFX files is testpassword. It is not necessary or recommended to change thispassword. However, if your organization requires that you change the default password, you must updatethe corresponding Tomcat the configuration file.


VMware, Inc. 35

Solution

1 Stop all vCenter Server services.

2 Browse to the Tomcat configuration files and open server.xml in a text editor.

The default location is Program Files\VMware\Infrastructure\tomcat\conf\server.xml.

3 Locate the line containing the following text: Connector port="8443"

4 Update the keystorePass parameter to match the rui.pfx certificate password.

You cannot leave this parameter empty. The default is testpassword.

5 Restart all vCenter Server services.

SSL Certificate Update Errors with Single Sign-OnWhen you are updating an SSL certificate for vSphere components, the update might fail.

Problem

During an SSL certificate update, vCenter Server fails to start or you are unable to log in to vCenter Server.

Cause

After changing the vCenter Single Sign-On SSL certificate, the new system did not add the certificate to thevCenter trust store. The certificate is not valid for this update.

Solution

n If you are unable to log in to vCenter Server after the SSL certificate update, restart vCenter Server.

n Verify that you are not attempting to update with the same SSL certificate that resides on another vCenterServer system pointing to the same vCenter Single Sign-On server. SSL certificates must be unique.Generate a new certificate with a unique distinguished name (DN) and repeat the update process.

n Verify that the X.509 SSL certificate is valid and not corrupt or expired. Provide a valid SSL certificate ifneeded. If vCenter Server cannot read the certificate, it might be corrupt.

n Verify that the SSL certificate key/certificate pair match. If they do not match, provide a valid key/certificatepair.

n If the error SSL Exception: Verification parameters (certificate signature failure) appears in thevCenter Server logs, add the certificate to the trust store. See “Update the Certificate Trust Store for vCenterServer Components,” on page 33.


36 VMware, Inc.