Replacing Default Vcenter Server Certificates with signed by a CCA

Sharing is caring!


VMware recommends that you replace default certificates with those signed by commercial certificate authority. Make sure to deploy new certificate in stages rather than all in one.
Follow following three steps

  • Create certificate-signing request (CSRs)
  • Create the PFX File
  • Load replacement certificates into memory

Create certificate-signing request (CSRs)
·         You can use open ssl to create SSL. Edit openssl.cnf according to your environment, default open ssl installation include openssl.cnf , default location is c:openssllib.
·         Create RSA key for the vCenter Server System and CSR
o   Openssl req –new –nodes –out mycsr.csr –config openssl.cnf
o   When prompt ed, type the fully qualified host name as the system commnaName and organisation, city , country information.
·         Send the certificate request to commercial authority and wait for signed cert.
Create the PFX File
                Personal information Exchange format (PFX) enables transfer of certificates and their private keys from one computer to another or to removable media. To export the certificate and the key together.  Run following command
                Openssl pkcs12 –export –in rui.crt –inkey  rui.key  – name rui –passout pass:password –out rui.pfx
Note: password is your actual password
Load replacement certificates into memory
Use browser to connect to the vCenter Server system and view the existing certificate.  
 Record the detail.  You must have following newly generated files

  •  X.509 certificate file with RSA public key in PEM format, named rui.crt
  • RSA private key in PEM format, named rui.key
  • PKCS12 bundle of the same certificate and key, named rui.pfx

On your vcenter server system, locate the ssl directory, backup existing certificate and replace with new one’s.

              Using browser on the vcenter server system, connect to
              http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
              or (to another system)
                https://192.168.150.151/mob/?moid=vpxd-securitymanager&vmodl=1
                Note: Replace the ip address with your server ip address. Enter the Administrator name and password

  • The managed object type:vpxSecurityManager web page appears
  • Under Methods, click reloadsslCertificate and Click Invoke Method
  • Restart VMware vCenter Management WebServices
  • Replace the certificate used by the vCenter server Inventory Service by copying above mentioned three files (rui,key, rui.crt, rui.pfx) into Inventory Service installation directory
  •  Restart Inventory service. 
  • Reload or reopen the vcenter webpage and verify new certificates are installed successfully.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.