Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)

Purpose

Note: This article is specific to vSphere 5.1 and vSphere 5.5. If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
 
This article guides you through the configuration of Certificate Authority (CA) certificates for vSphere Update Manager in vSphere 5.1 and vSphere 5.5. VMware has released a tool to automate much of the described process below. Please see Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in the article.
 
If you cannot use the automation tool, proceed with this article for configuration steps and details for implementing custom certificates in your environment. The article also helps avoid common misconfigurations
 
You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components.

You cannot replace the SSL certificates that Update Manager uses on port 9087 when importing offline bundles or upgrade release files.

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
 
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate in the vSphere Update Manager
These steps must be followed to ensure successful implementation of a custom certificate for vSphere Update manager. Before attempting these steps, ensure that:

Installation and configuration of the certificate for the vSphere Update manager

To complete the installation and configuration of the certificate for vSphere Update Manager after the certificate has been created:
  1. Log in to the vSphere Update Manager server as an administrator.
  2. If you have not already imported it, double click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
  3. Backup the current certificates. By default, vSphere Update Manager stores its certificates in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL directory.
  4. Copy the new certificate files to this directory replacing the current ones. If you are following the series of articles in the resolution path, the certificates are located in C:\certs\Update Manager.
  5. Stop the vSphere Update Manager Service and the vSphere Update Manager UFA services from the services control manager (services.msc).
  6. Launch the VMwareUpdateManagerUtility.exe application. By default, it is located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
  7. When prompted, enter the correct credentials to log in to the utility.

    Notes:
    • If the system becomes unresponsive and then fails and if vCenter Server is on the same system as vSphere Update Manager, try using 127.0.0.1:80 as the address for vCenter Server. If you cannot log in, file a Support Request with VMware Support and quote this Knowledge Base article ID (2037581) in the problem description. For more information, see Filing a Support Request in My VMware (2006985).
    • If Update Manager is not installed on the same system as vCenter Server, the loopback address does not work. In this case, edit the hosts file located at c:\windows\System32\drivers\etc\ and add an alternate DNS name for vCenter Server. For example, if vCenter1.acme.com is the vCenter Server at 10.10.10.10, add 10.10.10.10 vc1.acme.com and use this alternate name to log in to the utility.

  8. Click the SSL Certificate Link.
  9. Select the Followed and verified the steps option.
  10. Click Apply.
  11. Click OK when you see the message:

    Restart the VMware vSphere Update Manager service to apply the setting

  12. Start the vSphere Update manager and vSphere Update Manager UFA services.
The configuration of the custom certificates for vSphere Update Manager is now complete. Next, continue to install the custom certificates for the ESXi Hosts. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).

See Also

Update History

2/28/2013 - Added notes to the Resolution section.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 6 Ratings
Actions
KB: