This article provides information on manually configuring Certificate Authority (CA) signed SSL certificates in a vSphere 5.1 or vSphere 5.5 environment. VMware has released a tool to automate much of the described process below. Please see Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in the article.

In the case that you are unable to use the tool this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

Note: This article is specifically for vSphere 5.1 and vSphere 5.5. If you are using vSphere 5.0, see Implementing CA signed SSL certificates with vSphere 5.0 (2015383).

VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5
VMware vSphere Update Manager 5.1.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vSphere Update Manager 5.5.x

Configuring CA signed certificates is a challenge with vSphere as with any complex enterprise environment. Securing an environment is a requirement in many large organizations. You need either public certificates (such as Verisign or Globaltrust), Microsoft CA certificates, or OpenSSL CA certificates to ensure secure communication.

This article provides steps to allow configuration of these certificates on vSphere components in an environment. This article also assumes that all components are installed and running already with self-signed certificates.

Ensure that you validate each step below. Each step provides instructions or a link to a document that provides information on configuring the certificates in your environment.
 

Core vSphere components

1. Create a new Certificate Authority template for certificate generation. For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
    
2. Generate certificate requests and certificates for each of the vCenter Server components. For more information, see:
   • Creating certificate requests and certificates for vCenter Server 5.1 components (2037432)
   • Creating certificate requests and certificates for vCenter Server 5.5 components (2061934)
3. Replace the vCenter Single Sign-On certificates. For more information, see:
   • Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.1 (2035011)
   • Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5 (2058519)
4. Replace the Inventory Service certificates. For more information, see:
   • Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1 (2035009)
   • Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953)
5. Replace the vCenter Server 5.x certificates. For more information, see:
   • Configuring CA signed certificates for vCenter Server 5.1 (2035005)
   • Configuring CA signed certificates for vCenter Server 5.5 (2061973)
6. Replace the vSphere Web Client certificates. For more information, see:
   • Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.1 (2035010)
   • Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.5 (2061975)
      
7. Replace ESXi 5.x host certificates. For more information, see Configuring CA signed SSL certificates with ESXi 5.x hosts (2015499).

 

Peripheral vSphere components

1. Replace the vSphere Update Manager Certificates. For more information, see Configuring CA signed SSL certificates for VMware Update Manager in vSphere 5.1 and 5.5 (2037581).
    
2. Replace the vSphere Auto Deploy Certificates. For more information, see Configuring CA signed SSL certificates for vSphere Auto Deploy in vSphere 5.x (2073588).

If your issue persists even after trying these steps:

• Collect the custom certificate configuration information, including the OpenSSL configuration file (normally openssl.cfg), rui.key, rui.crt, and rui.csr.
• Gather the VMware Support Script Data. For more information, see Collecting diagnostic information for VMware products (1008524).
• File a support request with VMware Support, include the gathered information, and note this Knowledge Base article ID (2034833) in the problem description. For more information, see Filing a Support Request in Customer Connect (2006985).

How to file a Support Request in Customer Connect
Implementing CA signed SSL certificates with vSphere 5.0
Configuring CA signed certificates for ESXi 5.x hosts
Configuring CA signed certificates for vCenter Server 5.1
Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.1
Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.1
Configuring CA signed SSL certificates for VMware vCenter Single Sign-On in vSphere 5.1
Creating certificate requests and certificates for vCenter Server 5.1 components
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5
Deploying and using the SSL Certificate Automation Tool 1.0.x
Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5
Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5
Configuring CA signed certificates for vCenter Server 5.5
Configuring CA signed SSL certificates for the vSphere Web Client and Log Browser in vCenter Server 5.5
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x
Configuring CA signed SSL certificates for vSphere Auto Deploy in vSphere 5.x
vSphere 5.x の vSphere Auto Deploy に CA 署名された SSL 証明書を構成する方法
vSphere 5.x への CA 署名された SSL 証明書の組み込みについて
vSphere Auto Deploy Waiter サービスを下位の認証局として使用する方法
使用 vSphere 5.x 实施 CA 签名的 SSL 证书