Replacing VMware vCenter server default (self signed) certificate

24/02/201230/06/2023 Adrian Costea 0 Comments Security, vCenter, Virtualization

You have your VMware Infrastructure in-place, and is working great, but…what do you do about that annoying certificate message when you, or another person connects to the vCenter Server. And is not just the message, is about trust between your vSphere client and the vCenter server. I remember that I had to give a person right to connect to one of the vCenter servers so he can manage his own virtual machines, and during the connection the certificate message pops up. He asked me, what is this ? What to choose here ? If you are in this situation too, read on.

For this lab I will use a Microsoft Internal CA running on Windows 2008 R2 to issue the certificate for the vCenter server. You can use a commercial CA if you have the budget and the needs, but for most organizations an internal CA will suffice. I also have a vCenter server 5 running on Windows 2008 R2. To be able to create the request for the certificate I/we will use OpenSSL, because we don’t have a wizard for that. Download OpenSSL from here. All this takes place in a Windows domain, but if you don’t have one, the root certificate will have to be installed on the computer where the vSphere client is present. You can use this guide for older vCenter servers too. I tested with vCenter 4.0 and 4.1 and is working great; I don’t know how is gonna behave, or if it works with versions older than 4.0 but you can try it.

To start you need to disconnect all the ESX hosts that are part of this vCenter server. Do not shut them down.

Now open a terminal and go the bin directory of OpenSSL. Here type the following commands one at a time, and don’t set a challenge password at the end.

openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr

Complete the required information and be very careful at the Common Name line. You need to type the FQDN that you or any one else will use on the vSphere client to connect to the vCenter server. If you’re thinking about a SAN certificate containing all your vCenter servers (if you have more than one), well…I will have to give you bad news, is not supported. I tested with a SAN certificate, and a multi domain certificate (*.domain.com) but the error still pops up at the vSphere client. Looks like the only way to make it work is to use a standard certificate for every vCenter server.

Now from your OpenSSL bin directory open with notepad or any other editor the rui.csr file and copy the request to your clipboard; be sure not to modify it in any way. Now open your Microsoft CA web page and choose Request a certificate > advanced certificate request > Submit a certificate request by using a base-64-encoded… then paste the content from you clipboard in the Saved Request box and choose Web Server from the Certificate Template. Click the Submit button.

Download the certificate using Base 64 encoded option, and name the certificate rui (rui.cer) because it will be easier for you in the next section.

Copy the certificate in the bin directory of OpenSSL, then issue the following commands from a terminal:

openssl x509 ‐in rui.cer ‐out rui.crt
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:anypassword -out rui.pfx

If you want you can provide a different password for the .pfx certificate, but in this case “anypassword” will do the job, since is not a security breach for me if the certificate is stolen .

On the vCenter server we need to stop some services, before we can replace the self signed certificate. Open the services console (Start > Run > services.msc > OK) and search for the VMware VirtualCenter Server service, right-click on it and choose Stop.

A warning message is displayed saying that other services will stop along with VMware VirtualCenter Server service. Click Yes.

Open Explorer and browse to C:UsersAll UsersVMwareVMware VirtualCenterSSL. Here you can see the vCenter default certificate and private key. Move those keys to a backup location and paste the one we created from the bin directory of OpenSSL. You need rui.key, rui.pfx, rui.crt.

Now open a terminal a go to C:Program FilesVMwareInfrastructureVirtualCenter Server, because we need to change the vCenter database password. Here type vpxd.exe -p and provide a password for the database.