How to install a new Certificate for vCenter Server

How to install a new Certificate for vCenter Server

Everybody knows this warning. Now I show you how to change the vCenter Certificate to avoid this ugly page.

For those who are completely new to this topic I suggest you to check out https://tenthirtyam.org/inf4529/index.html

VMware vSphere has multiple components who own a Certificate. There are:

  • ESXi Certificates
  • Machine SSL Certificates
  • Solution User Certificates
  • Single Sign-On Certificates

 

We have four different options for doing Certificates in vCenter Server 6

  1. VMCA (VMware CA) as root CA
  2. VMCA as Enterprise CA Subordinate
  3. Custom CA
  4. Hybrid

Today we care about the Hybrid Mode. That means we will replace the Machine SSL Certificate with an official one from eg. QuoVadis and leave the other Certificates like ESXi or Solution Users by default.

 

Certificate Request:

First we have to open the vSphere Certificate Manager witch is located under:

  • Windows vCenter 6.0 “C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager”
  • vCSA 6.0 (vCenter Server Appliance) “/usr/lib/vmware-vmca/bin/”

(The Certificate Manager is the same in Windows vCenter as in vCSA)

We use Option 1 and fill out the requested information.

With your created CSR-File you can go to your CA to request a Certificate. After some checks, you should get from your CA a .csr-File back.

 

Import Certificate:

With our .csr-File we can start the import.

So, again we start the Certificate Manager. Select option 1 and option 2 to replace the Certificate and follow the wizard. We have to fill out the paths to the Machine-Certificate, the created Keyfile and finally the Root-Certificate.

In the end, hopefully you get the message “All tasks completed successfully” 😉

After all vCenter services were restarted, be patient for the Webclient-Service (a few minutes) to complete everything.

You should see now the correct Certificate when you connect to your vCenter.

 

Additional Informations:

  • Don’t forget to tell your 3rd Party Applications about the new vCenter Certificate (eg. the Backup Software)

 

SSL Error with Update Manager:

I got the following SSL error after changing the vCenter Certificate:

To avoid or solve this, we have to re-register the Update Manager Service. (Described in KB: 2048210)

Go to: “C:\Program Files (x86)\VMware\Infrastructure\Update Manager” and start the “VMwareUpdateManagerUtility.exe”

Choose “Re-register to vCenter”

Restart the Update Manager Service

 

 

 

Enjoy and share ðŸ˜‰ !

 

4 thoughts on “How to install a new Certificate for vCenter Server

  1. Thanks Admin,

    You make my day. i was try to search on google and i found so many blogs and websites but nobody explain about windows platform installation of vCenter server Certificate they all about to talk vCSA. Again Thanks a lot. Have a Great Day.

  2. Hi,

    I would like to know if there is a way to do this with a script ?
    In a another word can this be automated with powershell/powercli ?

    Regards

    1. Seems difficult, you have to return the CSR from your vCenter to your CA. And the response of your CA have to pushed back to vCenter. After that you can continue the “install” Certificate workflow on vCenter.
      So there are multiple steps with waiting time on multiple systems.

Leave a Reply to Matt Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.