Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility (1023011)

Details

You can replace the default Update Manager SSL certificates with either self-signed certificates or certificates signed by a commercial certification authority (CA). This article provides information on replacing the SSL certificates in Update Manager 4.1 Update 1 and later.

The Update Manager 4.1 Update 1 and later releases include the Update Manager Utility that lets you replace the SSL certificates for Update Manager and perform other reconfiguration tasks. The Update Manager Utility is not available in earlier releases.

You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components.

You cannot replace the SSL certificates that Update Manager uses on port 9087 when importing offline bundles or upgrade release files.

Certificate specifications

VMware products use standard X.509 version 3 (X.509v3) certificates. The default certificates must be replaced only with a signed certificate that conforms to Privacy Enhanced Mail (PEM), a key format that stores data in a Base-64 encoded Distinguished Encoding Rules (DER) format.

The key used to sign the certificates must be a standard RSA key with an encryption length ranging from 512 to 2048 bits. The recommended length is 2048 bits.

Certificate Location

Certificates are stored in the SSL folder located in the Update Manager installation directory.

  • The default path in 64-bit Windows is  C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
  • The default path in 32-bit Windows is C:\Program Files\VMware\Infrastructure\Update Manager\SSL

Solution

Replacing the default certificates with Self-Signed Certificates

  1. On the Update Manager Server, download and install OpenSSL 0.9.8.
  2. Create a file named updatemanager.cfg, and include these configuration settings in the file:

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS: ServerShortName, DNS: ServerIPAddress, DNS: server.domain.com

    [ req_distinguished_name ]
    countryName = Country
    stateOrProvinceName = State
    localityName = City
    0.organizationName = Company Name
    organizationalUnitName = VMwareUpdateManager
    commonName = server.domain.com


    Note: Modify all entries according to your environment specifications and ensure that you enter a commonName.

  3. Open a command prompt and navigate to the openssl/bin folder.
  4. To create the self-signed certificate (rui.key and rui.crt), run the command:

    openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -extensions x509 -config updatemanager.cfg -out rui.crt -days 3650

  5. To generate the .pfx file, run the command:

    openssl pkcs12 -export -in rui.crt -inkey rui.key -name "rui" -passout pass:testpassword -out rui.pfx

  6. On the Windows machine where Update Manager is installed, stop the VMware vCenter Update Manager service.
  7. Backup and replace the certificates.

    • Copy rui.crt, rui.key, and rui.pfx from the machine where you generated the certificate files to the machine where Update Manager is installed.
    • Backup the files rui.crt, rui.key, and rui.pfx, located in the <Update_Manager_installation_directory>\SSL folder and replace the old rui.crt, rui.key, and rui.pfx with the files you created.

  8. On the Windows machine where Update Manager is installed, import the certificates by using the Update Manager Utility:

    Note: For more information about the procedure, see the Reconfiguration of VMware vCenter Update Manager Guide.


    1. Navigate to the Update Manager installation directory and double-click VMwareUpdateManagerUtility.exe to start the Update Manager Utility.

      Note: You may need to right-click VMwareUpdateManagerUtility.exe and Click Run as administrator.

    2. Log in using the administrator credentials and the IP address or host name of vCenter Server system.
    3. In the Options pane of the Update Manager Utility, Click SSL Certificate.
    4. In the Configurations pane, select Followed and verified the steps, and Click Apply.

  9. After the operation completes, start the VMware vCenter Update Manager service.
  10. From the vSphere Client, install the new certificate in the Trusted root certificate authorities folder.
  11. When you connect to the Update Manager server, a dialog with a security warning appears. In the Security Warning dialog, Click View Certificate.
  12. In the Certificate window, Click Install Certificate. The Certificate Import Wizard appears.
  13. Select the Place all certificates in the following store option and Click Browse. The Select Certificate Store window appears.
  14. Navigate to Trusted root certificate authorities > Local Computer in the tree pane.
  15. Select the Show physical stores option and Click OK.
  16. In the Certificate Import Wizard, Click Next and then Click Finish. If the import is successful, you see a dialog with the message:

    The import was successful

  17. Click OK.

Replacing the default SSL Certificates with Certificates Signed by a Commercial CA

  1. On the Update Manager Server, download and install download and install OpenSSL 0.9.8.
  2. Create a file named updatemanager.cfg, and include these configuration settings in the file:

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS: ServerShortName, IP: ServerIPAddress, DNS: server.domain.com

    [ req_distinguished_name ]
    countryName = Country
    stateOrProvinceName = State
    localityName = City
    0.organizationName = Company Name
    organizationalUnitName = VMwareUpdateManager
    commonName = server.domain.com


    Note: Modify all entries according to your environment specifications and ensure that you enter a commonName.

  3. Open a command prompt and navigate to the openssl/bin folder.
  4. Create a certificate-signing request for Update Manager, run the command:

    openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config updatemanager.cfg

  5. Convert the key to the proper RSA format for vSphere Update Manager, run the commnd:

    openssl rsa -in rui-orig.key -out rui.key

  6. Send the certificate request to a commercial certificate authority of your choice and wait for the return of the signed certificate.

  7. After receiving the signed certificate from the commercial certificate authority, rename it to rui.crt.

    Note: Because of a known issue in the JRE keytool.exe application, certificates must not contain any characters before the ---BEGIN CERTIFICATE--- section or after the ---END CERTIFICATE--- section of the certificate. If the certificate contains any characters in those places, use a text editor to delete the characters.

  8. Create the PFX file .pfx file, run the command:

    openssl pkcs12 -export -in rui.crt -inkey rui.key -name "rui" -passout pass:testpassword -out rui.pfx

  9. On the Windows machine where Update Manager is installed, stop the VMware vCenter Update Manager service.
  10. Backup the files rui.crt, rui.key, and rui.pfx, located in the <Update_Manager_installation_directory>\SSL folder and replace the old rui.crt, rui.key, and rui.pfx with the files you created.
  11. On the Windows machine where Update Manager is installed, import the certificates using the Update Manager Utility. For more information about the procedure, see the Reconfiguration of VMware vCenter Update Manager Guide.
  12. Navigate to the Update Manager installation directory and double-click VMwareUpdateManagerUtility.exe to start the Update Manager Utility.
  13. Log in using the administrator credentials and the IP address or host name of vCenter Server system.
  14. In the Options pane of the Update Manager Utility, Cick SSL Certificate.
  15. In the Configurations pane, select Followed and verified the steps, and click Apply.
  16. After the operation completes, start the VMware vCenter Update Manager service.

Note: For Update Manager 5.0, if the certificate for the Inventory Service is not modified, the Update Manager Utility cannot upgrade the certificate for Update Manager. In this case, you continue to see a default install certificate message when enabling the Update Manager plugin. For more information, see Configuring CA signed certificates for VMware vCenter Server 5.0.x (2015421).

Tags

update-manager-ssl-certificates

Update History

03/24/2011 - Added version 4.1 to product list. 7/26/2011 - Specified that the Utility is not available in earlier releases. 10/06/2011 - Added VUM 5.0 to product list based on SR in feedback. 10/11/2011 - Corrected the typos 07/12/2012 - Added clarification for rui.crt file in steps 2 C and D in second procedure. 10/11/2012 - Added a note to step 6 (a) 03/292013 - added confidential note re: generating cert requests from host.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 7 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 7 Ratings
Actions
KB: