Replacing Default Server Certificates with Self-Signed Certificates

Sharing is caring!

VMware recommends that you replace default certificates with those signed by commercial certificate authority. Make sure to deploy new certificate in stages rather than all in one.
Follow following three steps
1.       Create Local Root CA and Self Signed Request
2.       Create Self-Signed Certificates
3.       Create the PFX File
4.       Load replacement certificates into memory
Create Local Root CA and Self Signd Request
·         You can use open ssl to create SSL. Edit openssl.cnf according to your environment, default open ssl installation include openssl.cnf , default location is c:openssllib.
·         Create local root CA
Openssl req –new –x509  –extensions v3_ca –keyout  myroot.key  –out  myroot.crt –days 3650 –config openssl.cnf
When prompt ed, type the fully qualified host name as the system commnaName and organisation, city, country information.
·         Create RSA Key
    Openssl req –new –nodes –out mycsr.csr –config openssl.cnf
·         Sign the request using local root CA
o   Openssl ca –out rui.crt –config openssl.cnf –infiles mycsr.csr
You have now generated and signed rui.crt and the private key rui.key
Create Self Signed Certificates
Create or Modify text file name openssl.cnf according to your requirement
Create self signed certificate (rui.key and rui.crt) by running 
                Openssl req  –nodes  –new  –x509  –keyout  rui.key  –out  rui.crt  –days  3650  –config openssl.cnf
Create backup of original certs and copy newly generated certs to the default SSL certificate location.
Create the PFX File
                Personal information Exchange format (PFX) enables transfer of certificates and their private keys from one computer to another or to removable media. To export the certificate and the key together.  Run following command
                Openssl pkcs12 –export –in rui.crt –inkey  rui.key  – name rui –passout pass:password –out rui.pfx
Note: password is your actual password
Load replacement certificates into memory
                Use browser to connect to the vCenter Server system and view the existing certificate. Record the detail.  You must have following newly generated files
·         X.509 certificate file with RSA public key in PEM format, named rui.crt
·         RSA private key in PEM format, named rui.key
·         PKCS12 bundle of the same certificate and key, named rui.pfx
On your vcenter server system, locate the ssl directory, backup existing certificate and replace with new one’s.
Using browser on the vcenter server system, connect to
or (to another system)
Note: Replace the ip address with your server ip address. Enter the Administrator name and password
The managed object type:vpxSecurityManager web page appears
Under Methods, click reloadsslCertificate and Click Invoke Method
Restart VMware vCenter Management WebServices
Replace the certificate used by the vCenter server Inventory Service by copying above mentioned three files (rui,key, rui.crt, rui.pfx) into Inventory Service installation directory and Restart Inventory service. Reload or reopen the vcenter webpage and verify new certificates are installed successfully.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.