Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Regenerating expired SSL certificates after 2 years in VMware vCenter Server 4.x / 5.0.x (1009092)

Symptoms

  • When trying to perform a discovery using the EMC Control Center application to vCenter Server, Error 39 appears.
  • The discovery process does not complete.

Resolution

If you are upgrading to vCenter Server 5.1 or 5.5, see Implementing CA signed SSL certificates with vSphere 5.x (2034833). If you do not want to implement CA-signed SSL certificates in your environment, you can regenerate VMware default SSL Certificates during the upgrade by performing the following before upgrading:
  1. Log into the vCenter Server system
  2. Uninstall the current version of vCenter Server
  3. Rename the C:\ProgramData\VMware\VMware VirtualCenter\SSL directory to SSL.old
  4. Perform the upgrade process. The will re-generate new default certificates.

In this case, the SSL certificates are expired and the discovery process fails. There are two methods that can be used to update the SSL certificates.

Note: The SSL certificates have a lifespan of two or ten years depending on the version.
  • For VirtualCenter 2.5, the lifespan is two years
  • For vCenter Server 4.x and later, the lifespan is ten years

Method 1

With this method, it is possible to regenerate the certificates using OpenSSL. The existing rui.key file is used to accomplish this. This is the only method available if vCenter Server 4.0 is installed.

OpenSSL is a free utility that can be used to generate SSL certificates. It is available for download from http://www.openssl.org/. A version for Windows or Linux is available.

For special instructions on downloading the most recent version of OpenSSL (greater than version 0.9.8), see Issues viewing Storage Views, Performance Overview, and Hardware Status when OpenSSL 1.0.0 version or higher is used to create self-signed certificates (1025966).

Note: OpenSSL is pre-installed on ESX and can be used to complete these steps. It is not pre-installed on ESXi.

To regenerate an expired certificate:

  1. Locate the rui.key file on the vCenter Server system.

    Note: On versions of Windows prior to Windows Server 2008, this location is:

    C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL

    On Windows Server 2008, this location is:

    C:\ProgramData\VMware\VMware VirtualCenter\SSL

  2. Copy the existing rui.key to a system where OpenSSL is installed.

  3. Create a new certificate and pfx file.

    • On Windows, run these commands:

      openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -subj "fqdn_of_VC"

      Where fqdn_of_VC is the fully qualified host name of the vCenter Server system. If this command returns a subject that does not start with "/", use this command instead:

      openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -subj "/C=US/ST=CA/L=HAWTHORNE/CN=vcenter_name"

      Where C = country(US) , ST = State (CA), L = City (HAWTHORNE), and CN = the name of the vCenter Server.

      Note: It may be necessary to create an openssl.cnf file and add -config openssl.cnf to the command above. For more information, see the Replacing vCenter Server Certificates Guide.

      openssl.exe pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

    • On Linux or an ESXi/ESX host, run these commands:

      openssl req -new -x509 -days 3650 -md5 -nodes -key rui.key -out rui.crt -subj 'fqdn_of_VC'

      Where fqdn_of_VC is the fully qualified host name of the vCenter Server system.

      openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

    Note: Ensure that you use the default password, testpassword, for self-signed certificates. Otherwise, edit the keystorepass attribute in the %PROGRAMFILES%\VMware\Infrastructure\tomcat\conf\server.xml file.

    To edit the keystorepass attribute:

    1. Open the %PROGRAMFILES%\VMware\Infrastructure\tomcat\conf\server.xml file in a text editor.
    2. Search for <Connector port="8443". This line refers to the rui.pfx certificate file that changes when you update your certificate.
    3. Set the keystorePass attribute to the rui.pfx certificate password. The password cannot be blank.

  4. Stop the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

  5. Copy the newly created rui.crt and rui.pfx files to the appropriate directory on the vCenter Server system (from step 1).

  6. Start the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

    Note: After replacing the certificates for vSphere 4.1/5.0, the database password may need to be re-encrypted, which may prevent vCenter Server from starting. To resolve this issue, see vCenter Server fails to start after replacing the default SSL certificates with custom SSL certificates (1003070).

Regenerating the vCenter Inventory Service and the vSphere Web Client certificates on vCenter Server 5.0.x

If you are running vCenter Server 5.0.x, you must also regenerate the certificate for the vCenter Inventory Service and the vSphere Web Client. To avoid conflicts between the different components' SSL certificates on the same server, VMware recommends creating each certificate with a different CN.

For example, this command regenerates certificates for the inventory service from its key:

openssl.exe req -new -x509 -days 3650 -sha1 -nodes -key rui.key -out rui.crt -subj "/C=US/ST=CA/L=HAWTHORNE/CN=WDC-WIN2K8_InventoryService"

By default, the SSL folder location for the Inventory service is:

Inventory_Service_Installation_location\Inventory Service\ssl

By default, the SSL folder location for the vSphere Web Client Client is:

vSphere_Web_Client_Installation_location\vSphere Web Client\DMServer\config\ssl


Additional notes on vSphere 4.1 / 5.0

The procedure for replacing SSL certificates has changed in vSphere 4.1. For more information, see Replacing vCenter Server 4.1 and 5.0 SSL certificates using the vpxd -p command fails with the error: failed to do early initialization (1030661).

In ESXi 4.1, you can create new self-signed certificates. For more information, see hostd fails to start with a Crypto Exception error (1021625).

In vCenter Server 4.1 and 5.0, the certificates must be reloaded to the Managed Object Browser (MOB). For more information, see:

Method 2 (for VirtualCenter 2.5)

With this method, a new VirtualCenter SSL certificate is generated via the installation/repair process. This method is only applicable to VirtualCenter Server 2.5, as vCenter Server 4.0 and 4.1 do not have a repair option available.

Note: For VirtualCenter 2.5 Update 2 and earlier, disconnect all ESX hosts. VirtualCenter 2.5 Update 3 and higher automatically disconnects the hosts.

To regenerate an expired certificate:

  1. Stop the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

  2. Browse to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL and remove these files (or move them to another folder):

    rui.crt
    rui.key
    rui.pfx


  3. Click Control Panel > Add/Remove Programs, and choose to run a Repair on the VirtualCenter Server installation.

    Caution: Ensure you do not choose to initialize the database.

  4. After the repair is complete, there are three new rui files created in:

    C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL

  5. Start the VMware VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).

  6. Use the VMware Infrastructure Client to connect to vCenter Server. The ESX hosts appear in a disconnected state. This is expected because vpxd.exe cannot decrypt the vpxuser password stored in the database using the current SSL certificates.

  7. Manually reconnect all hosts.

Additional Information

Notes:

See Also

Update History

05/20/2011 - Removed 4.1 from product versions, and linked 1030661. 10/27/2010 - Added ESX 4.0 and 4.1 to Products; Indicated that OpenSSL is not pre-installed on ESXi 04/18/2011 - Added steps to edit keystorepass 02/23/2012 - Added link recreate self-signed certificates 08/23/2012 - Added Links referencing MOB in additional info section. 08/23/2012 - Added link for SRM/VRMS 12/10/2012 - Added link to implementing SSL certs for vCenter Server 5.1 12/13/2013 - Added link to article 1003070

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 42 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 42 Ratings
Actions
KB: