Note: This article is specifically for vSphere 5.5. If you are using vSphere 5.1, see Creating certificate requests and certificates for vCenter Server 5.1 components. If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article provides information on manually configuring Certificate Authority (CA) signed SSL certificates in a vSphere 5.5 environment. VMware has released a tool to automate much of the described process below. For more information, see Deploying and using the SSL Certificate Automation Tool 5.5.
In you are unable to use the tool, this article helps you eliminate common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.
Important: OpenSSL Version 0.9.8 must be used. If you do not use this version, the SSL implementation fails.
Note: This article is part of a resolution path. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833) before proceeding with the steps in this article.
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server. Remember that each component of the vCenter Server configuration requires its own certificate.
Before attempting these steps, ensure that:
Web Server
template on your Certificate Authority server and made sure it has digitalSignature
, keyEncipherment
, and dataEncipherment
enabled for certificate generation.C:\OpenSSL-Win32
. If it has been installed elsewhere, substitute the alternative location appropriately.
There are six separate components in vCenter Server 5.5 that utilize certificates to encrypt communication. This article can be used if the components are on the same server and if they are on different servers, as long as you have a separate certificate for each component. The OpenSSL configuration when generating requests must:
OrganizationalUnitNames
for the components.hostname
or ipconfig /all
commands.To create the OpenSSL configuration files for creating the certificate requests:
C:\certs
folder as an example.C:\certs
folder, create seven other folders so that you can organize each of the certificates. These steps use these seven folders:subjectAltName
for each SSL certificate is recommended by VMware but not required. When using a commercial CA for certificate signing, the IP address can be left out of the certificate as long as DNS resolves properly for short name, fully qualified domain, and reverse lookup.subjectAltName
field and its values, having a DNS
and IP
entry for the IP address
will resolve any inconsistent connection issues with the vSphere Web Client. Use the model below as an example:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vc55-1, IP:10.0.0.10, DNS:vc55-1.vmware.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterUniqueServer
commonName = vc55-1.vmware.com
subjectAltName
should be in place for each server that matches the commonName
field.C:\certs\InventoryService
called inventoryservice.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterInventoryService
commonName = server.domain.com
C:\certs\SSO
called sso.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterSSO
commonName = server.domain.com
C:\certs\vCenter
called vcenter.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterServer
commonName = server.domain.com
C:\certs\WebClient
called webclient.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterWebClient
commonName = server.domain.com
C:\certs\LogBrowser
called LogBrowser.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterLogBrowser
commonName = server.domain.com
C:\certs\UpdateManager
called UpdateManager.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = VMwareUpdateManager
commonName = server.domain.com
C:\certs\AutoDeploy
called AutoDeploy.cfg
. Paste this text into the file, changing the elements in Red
:[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ServerShortName, IP:ServerIPAddress, DNS:server.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vSphereAutoDeploy
commonName = server.domain.com
The OpenSSL configuration files are configured.
Note: The SSL Certificate Automation tool uses RFC standard formatting for the CSR. As a result, the Subject Alternate name uses IP:
syntax for the IP address. This prevents issues with certificate verification during operation of the product, however it does not suppress the certificate warming when navigating to the IP address of the service from the vSphere Client and the Internet Explorer browser. This is an issue with how certificates are recognized in the Microsoft Certificate Store. Ignore the error, or navigate to the Fully Qualified Domain name to avoid the error.
Now that OpenSSL has been configured, you must generate a certificate request for each of the components:
C:\OpenSSL-Win32\bin
.openssl req -new -nodes -out c:\certs\InventoryService\rui.csr -keyout c:\certs\InventoryService\rui-orig.key -config c:\certs\InventoryService\inventoryservice.cfg
openssl rsa -in c:\certs\InventoryService\rui-orig.key -out c:\certs\InventoryService\rui.key
openssl req -new -nodes -out c:\certs\sso\rui.csr -keyout c:\certs\sso\rui-orig.key -config c:\certs\sso\sso.cfg
openssl rsa -in c:\certs\sso\rui-orig.key -out c:\certs\sso\rui.key
openssl req -new -nodes -out c:\certs\vCenter\rui.csr -keyout c:\certs\vCenter\rui-orig.key -config c:\certs\vCenter\vcenter.cfg
openssl rsa -in c:\certs\vCenter\rui-orig.key -out c:\certs\vCenter\rui.key
openssl req -new -nodes -out c:\certs\WebClient\rui.csr -keyout c:\certs\WebClient\rui-orig.key -config c:\certs\WebClient\webclient.cfg
openssl rsa -in c:\certs\WebClient\rui-orig.key -out c:\certs\WebClient\rui.key
openssl req -new -nodes -out c:\certs\LogBrowser\rui.csr -keyout c:\certs\LogBrowser\rui-orig.key -config c:\certs\LogBrowser\logbrowser.cfg
openssl rsa -in c:\certs\LogBrowser\rui-orig.key -out c:\certs\LogBrowser\rui.key
openssl req -new -nodes -out c:\certs\UpdateManager\rui.csr -keyout c:\certs\UpdateManager\rui-orig.key -config c:\certs\UpdateManager\updatemanager.cfg
openssl rsa -in c:\certs\UpdateManager\rui-orig.key -out c:\certs\UpdateManager\rui.key
openssl rsa -in c:\certs\AutoDeploy\rui-orig.key -out c:\certs\AutoDeploy\rui.key
After completing the steps above, you now have the rui.csr
and rui.key
files located in each of the respective six directories for the different services. To validate that the CSR is created correctly, run the command:openssl req -in rui.csr -noout -text
Check the output to verify that all of the parameters entered in the .cfg
file are properly set in the request.
After the certificate request is created, it must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server.
Follow the appropriate section below for the steps for the certificate authority in question.
For Commercial CAs, follow these steps for each certificate request:
rui.csr
, as generated above) and send it to the authority in question.For Microsoft CAs, follow these steps for each certificate request:
http://servername/CertSrv/
.rui.csr
, as generated above for each component) in a plain text editor and paste this text into the Saved Request box:-----BEGIN CERTIFICATE REQUEST-----
to -----END CERTIFICATE REQUEST-----
rui.crt
in the appropriate c:\certs\<service>
folder..crt
file by viewing its properties. This can be found by opening the rui.crt
, clicking the Details tab, and locating the Key Usage
row under Field
. The default install of Windows Server 2008 with the CA role will not create *.crt
files properly. You must first modify the digitalSignature
, keyEncipherment
, and dataEncipherment
fields on the CA server's Web Server template before continuing. For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).cachain.p7b
in the c:\certs
folder.cachain.p7b
file and navigate to C:\certs\cachain.p7b > Certificates.C:\certs\Root64.cer
and click Next..p7b
file, you will not be able to export them to Base64 at the same time; you must export each intermediate certificate to a separate file.C:\certs\interm64-1.cer
, C:\certs\interm64-2.cer
, etc. After completion, concatenate the certificates into a single file named chain.cer.
chain.cer
file is used in place of the Root64.cer
file per the Creating the PFX section below.copy interm64-1.cer+interm64-2.cer+Root64.cer chain.cer
To verify that all of the settings are correct, double-click on the rui.crt
file and validate that the proper alternative names and subjects are in each certificate.
When complete, the certificates are generated and you now have the rui.key
and rui.crt
files for each service and either the Root64.cer
root certificate from the Root CA Server or the concatenated chain.cer
certificate containing the Root CA server and any subordinate CA servers.
Note: There must be no text before the -----BEGIN CERTIFICATE-----
or after the -----END CERTIFICATE-----
in the .crt
or .cer
files.
Proceed to Creating the PFX and follow the steps for each certificate.
When you have the certificate created, you can generate the PKCS#12 PFX file for use with each of the services.
To create the PFX file for each service:
Notes:
rui.crt
or rui.key
or if you intend to use different names for these files, ensure that all names remain consistent in the subsequent commands.-certfile c:\certs\Root64.cer
used in these commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, you will use the chain.cer
created in Step 20 under Obtaining the certificate section.C:\OpenSSL-Win32\bin
.rui.pfx
file for the Inventory service:openssl pkcs12 -export -in c:\certs\InventoryService\rui.crt -inkey c:\certs\InventoryService\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\InventoryService\rui.pfx
testpassword
. Do not change this parameter. ssoserver.p12
file for SSO:openssl pkcs12 -export -in c:\certs\sso\rui.crt -inkey c:\certs\sso\rui.key -certfile c:\certs\Root64.cer -name "ssoserver" -passout pass:changeme -out c:\certs\sso\ssoserver.p12
changeme
and the key alias must be ssoserver
. Do not change these parameters.rui.pfx
file for the vCenter Server:openssl pkcs12 -export -in c:\certs\vcenter\rui.crt -inkey c:\certs\vcenter\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\vcenter\rui.pfx
rui.pfx
file for the vSphere Web Client:openssl pkcs12 -export -in c:\certs\webclient\rui.crt -inkey c:\certs\webclient\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\webclient\rui.pfx
rui.pfx
file for the Log Browser:openssl pkcs12 -export -in c:\certs\LogBrowser\rui.crt -inkey c:\certs\LogBrowser\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\LogBrowser\rui.pfx
rui.pfx
file for vSphere Update Manager:openssl pkcs12 -export -in c:\certs\updatemanager\rui.crt -inkey c:\certs\updatemanager\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass:testpassword -out c:\certs\updatemanager\rui.pfx
openssl pkcs12 -in c:\certs\service\rui.pfx -info
testpassword
for both the password and the passphrase. This is purely to decode the information in the PFX file and check the validity. The output should match the Distinguished Name (DN) in the certificates and is shown along with the certificate content in the output of the -info
command.You now have all of the files required to implement custom SSL certificates. Be sure to copy the c:\certs
folder to vCenter Server if all services are running on a single server. Otherwise, copy the respective certificates to the appropriate servers.
For more information on replacing the vCenter Server SSO certificates, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Creating certificate requests and certificates for vCenter Server 5.1 components
Deploying and using the SSL Certificate Automation Tool 5.5
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x
vSphere 5.x の vSphere Auto Deploy に CA 署名された SSL 証明書を構成する方法
vSphere Auto Deploy Waiter サービスを下位の認証局として使用する方法
vCenter Server 5.5 コンポーネント 用の証明書要求および証明書の作成
为 vCenter Server 5.5 组件创建证书请求和证书