The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Configuring CA signed certificates for VMware vCenter Server 5.0.x (2015421)
This article guides you through the configuration of Certificate Authority (CA) certificates for a vCenter Server 5.0 server. It helps eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid misconfiguration in the implementation of custom certificates in your environment.
Note: This article is specifically for vSphere 5.0. If you are using vSphere 5.1, see Implementing CA signed SSL Certificates with vSphere 5.1 (2034833).
Note: This article is part of a resolution path. Before you follow steps in this article, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).
Creating CA assigned certificates for vCenter Server is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in vCenter Server
These steps must be followed to ensure successful implementation of a custom certificate for vCenter server. Before attempting these steps ensure that:
- You have a vSphere 5.0 Environment
- Steps in the configuring SSL document have been completed
Generating a certificate request
Note: If you are going to implement an OpenSSL Self-Signed Certificate as a CA, proceed to the Getting the certificate section of this article as no request file is needed.
To generate a certificate request for vCenter Server:
- Launch a command prompt and navigate into the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default this is C:\OpenSSL-Win32\bin.
- Execute the command:
openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
Note: There are no prompts because all information was provided in the openssl.cfg file, as configured in the previous article.
This will create the certificate request rui.csr.
- To validate that the CSR is created properly, run the following command:
openssl req -in rui.csr -noout -text
Verify the output to make sure that all of the parameters entered in the openssl.cfg file are properly set.
After rui.csr is created, go to the Getting the certificate section of this document.
After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server.
Follow the appropriate section below for the steps for the certificate authority in question.
For Commercial CAs:
- Take the certificate request ( rui.csr as generated above) and send it to the authority in question.
- The authority sends back the generated certificate.
- Install the root certificate onto the vCenter server before proceeding Installing and configuring the certificate in vCenter Server.
For Microsoft CAs:
- Log in to the Microsoft CA certificate authority Web interface. By default, it is http://servername/CertSrv/.
- Click the Request a certificate link.
- Click advanced certificate request.
- Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
- Open the certificate request in a plain text editor and paste this text into the Saved Request box:
-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----
- Select the Certificate Template as Web Server.
Note: It is recommended to create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. In this way, you can specify more than a single name to be valid on the certificate, such as vcenter.domain.com and vcenter and users can connect to more than just one name and communication will still be valid. If you do make this, the openssl.cfg should be modified accordingly (as shown in the example configuration) and the New certificate template utilized in this step.
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click the Download Certificate link.
Save the certificate on the desktop of the server as rui.crt.
Proceed to the Installation and configuration of the certificate in vCenter Server section of this article to complete the configuration of the custom certificate.
For OpenSSL Self-Signed Certificates:
- Create the certificate by running the command:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650 -nodes
This command outputs the certificate as needed to proceed to Installing and configuring the certificate in vCenter Server.
After the certificate has been created follow these steps to complete the installation and configuration of the certificate in vCenter Server:
- Install the root certificate from the certificate authority onto the host.
Note: If you are using a Self-Signed Certificate from OpenSSL, you import the certificate appropriately when logging in to vCenter Server for the first time. For more information, see Step 19.
- From the system where OpenSSL has been configured, launch a command prompt and navigate to the OpenSSL directory. By default, this is C:\OpenSSL-Win32\bin.
- Execute this command to create the rui.pfx file:
openssl pkcs12 -export -in \path\to\file\rui.crt -inkey rui.key -name "rui" -passout pass:testpassword -out \path\to\file\rui.pfx
Note: In a default configuration of vCenter Server, the certificate store password must be testpassword.
- To test the encoding, run this command:
openssl pkcs12 -in rui.pfx -info
When prompted, enter the Import Password and PEM pass phrase passwords as testpassword. This displays information about the file, including the certificate and private key information.
- Log in to vCenter Server as an administrator.
- Backup the certificates for the VMware VirtualCenter Server services and Inventory Service. By default, the certificates are located at:
Windows 2008 – C:\programdata\VMware\VMware VirtualCenter\SSL
Windows 2003 – C:\ Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
Windows 2008 and 2003 – C:\Program Files\VMware\Infrastructure\Inventory Service\ssl and C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl
- Copy the new certificate files into both of the above folders.
- Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
- Click Continue if you are prompted with a certificate warning.
- Type the administrator username and password when prompted.
- Click reloadSslCertificate.
- Click Invoke Method. If successful the window will show a message saying Method Invocation Result: void.
- Close both windows.
- Open a command prompt on vCenter Server using the Run As Administrator option and change to the vCenter Server directory. By default, this is C:\Program Files\VMware\Infrastructure\VirtualCenter Server.
- Run this command:
- Type the password for the vCenter Server database user to encrypt the password with the new certificate.
- Restart the VMware VirtualCenter Server service from the service control manager, which in turn restarts the vCenter Management Web Services, Inventory, and Profile driven storage services.
- After the initial restart of the service, wait for 5 minutes. If the profile driven storage service stops during this time, restart it.
- Log in to vCenter Server and validate that the plug-ins, such as hardware status and vCenter Server status, and verify if they are up and running properly. If you are using a OpenSSL Self Signed CA, to install the root certificate on first login, click the View Certificate button when the certificate warning appears. Click the Install Certificate button and place the certificate in the Trusted root certificate authorities > Local Computer store. Complete the wizard and the Import was successful is displayed.
Note: If the certificate was not directly trusted by a root authority, but by an intermediate authority, you must import the intermediate certificate in the rui.pfx file for vCenter Server. To import the intermediate certificate in the rui.pfx file, run this command:
openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile CACert.crt -name rui -passout pass:testpassword -out rui.pfx
The configuration of the custom certificates is now complete. Any other services such as the vSphere Web client must also be reconnected to vCenter Server due to the configuration of a new certificate.
At this point, continue with the remainder of Implementing CA signed SSL certificates with vSphere 5.0.
- Implementing CA signed SSL certificates with vSphere 5.0
- Implementing CA signed SSL certificates with vSphere 5.1
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.