These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server Appliance.
Before attempting these steps, ensure that:
These are the requirements for the certificates that the vCenter Server Appliance uses:
----- BEGIN PRIVATE KEY
----- BEGIN RSA PRIVATE KEY
openssl rsa -in pk8.key -out pk1.key
-----BEGIN CERTIFICATE
to ensure that this is the first line of the file. openssl.cfg
files for each component. /ssl/service
to store all of the files before the certificates are installed.[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword
[v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:server, IP:ServerIPAddress,DNS:server.domain.com
[ req_distinguished_name ]
countryName = country
stateOrProvinceName = state
localityName = city
0.organizationName = Organization Name
organizationalUnitName = Vmware vCenter Service Certificate
commonName = server.domain.com
openssl_vpxd.cfg
, but do not close it. organizationalUnitName
to Vmware Inventory Service Certificate
and save the file as openssl_inventoryservice.cfg
. organizationalUnitName
to Vmware vCenter Web Client Service Certificate
and save the file as openssl_webclient.cfg
. organizationalUnitName
to Vmware LDAP Service Certificate
and save the file as openssl_slapd.cfg
. organizationalUnitName
to Vmware vCenter VAMI Certificate
and save the file as openssl_vami.cfg
. organizationalUnitName
to Vmware Logbrowser Service Certificate
and save the file as openssl_logbrowser.cfg
. organizationalUnitName
to Vmware vCenter autodeploy Service Certificate
and save the file as openssl_autodeploy.cfg
. organizationalUnitName
. Next, generate the certificate request and corresponding key for each of the certificates.C:\OpenSSL-Win32\bin
service
with the appropriate file:openssl req -new -nodes -out rui_service.csr -keyout rui_service.key -config openssl_service.cfg
openssl req -new -nodes -out rui_vpxd.csr -keyout rui_vpxd.key -config openssl_vpxd.cfg
openssl.cfg
file from above.openssl.cfg
files. By the end of this section, you have seven different .csr
files and seven different .key
files. rui.cs
, as generated above) and send them to the commercial certificate signing authority. .PEM
file) to ensure that the certificates are trusted. If using a Microsoft CA:
http://servername/CertSrv/
-----BEGIN CERTIFICATE REQUEST-----
to -----END CERTIFICATE REQUEST-----
vcenter.domain.com
and vcenter
. Users can connect to more than one name and communication will still be valid.rui_service.crt
, where service
is the service you are creating a certificate for..cer
format. Either use Save As or change it to .crt
before continuing with this procedure.cachain.p7b
. rui_service.crt
) and the cachain.pem
file generated. Proceed to Installation and configuration of the certificates to complete the configuration of the custom certificates.Notepad
or vi
and validate that the file begins with -----BEGIN CERTIFICATE-----
. Remove all text before the -----BEGIN CERTIFICATE-----
in the rui.crt
files.service vmware-sso stop
service vmware-vpxd stop
mkdir
command to store the files. This article uses directories named /ssl/service
on the vCenter Server Appliance for the file operations. Be sure to create the appropriate directories as you proceed through the article. rui_vpxd.crt
, rui_vpxd.key
, and cachain.p7b
to the /ssl/vpxd
directory on the vCenter Server Appliance. rui_vpxd.crt
to rui.crt
by running the command:mv rui_vpxd.crt rui.crt
rui_vpxd.key
to rui.key
by running the command:mv rui_vpxd.key rui.key
cachain.p7b
file to cachain.pem
:openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
rui-ca-cert.pem
file by running the command:cp cachain.pem rui-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
cat rui.crt rui-ca-cert.pem > chain.pem
cp chain.pem /etc/ssl/certs/rootca.pem
ln -s /etc/ssl/certs/rootca.pem /etc/ssl/certs/`openssl x509 -hash -noout -in /etc/ssl/certs/rootca.pem`.0
/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.key
VC_CFG_RESULT = 0
/etc/vmware-vpx/ssl/rui.crt
/etc/vmware-vpx/ssl/rui.key
/etc/vmware-vpx/ssl/rui.pfx
/etc/vmware-vpx/ssl/sms.truststore
/etc/vmware-sso/keys/sso.crt
/etc/vmware-sso/keys/sso.key
/opt/vmware/etc/lighttpd/server.pem
rui-ca-cert.pem
file to the /etc/vmware-vpx/ssl
directory by running the command:cp rui-ca-cert.pem /etc/vmware-vpx/ssl
chmod 400 /etc/vmware-vpx/ssl/rui-ca-cert.pem
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
rui_inventoryservice.crt
, rui_inventoryservice.key
, and a copy of the cachain.pem
file as created in step 4 of this section to the /ssl/inventoryservice
directory on the vCenter Server Appliance. rui_inventoryservice.crt
to rui.crt
by running the command:mv rui_inventoryservice.crt rui.crt
rui_inventoryservice.key
to rui.key
by running the command:mv rui_inventoryservice.key rui.key
rui-ca-cert.pem
file by running the command:cp cachain.pem rui-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
rui.key
, rui.crt
, rui.pfx
, and rui-ca-cert.pem
to the /usr/lib/vmware-vpx/inventoryservice/ssl
directory with the cp
command. chmod 400 rui-ca-cert.pem rui.key rui.pfx
chmod 644 rui.crt
cd /etc/vmware-sso/register-hooks.d
./02-inventoryservice --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
rm /var/vmware/vpxd/inventoryservice_registered
service vmware-inventoryservice stop
service vmware-vpxd stop
service vmware-inventoryservice start
service vmware-vpxd start
/usr/lib/vmware-vpx/inventoryservice/ssl/rui-ca-cert.pem
/usr/lib/vmware-vpx/inventoryservice/ssl/rui.crt
/usr/lib/vmware-vpx/inventoryservice/ssl/rui.key
/usr/lib/vmware-vpx/inventoryservice/ssl/rui.pfx
cd /etc/vmware-sso/register-hooks.d
./10-vmware-vsphere-client --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
rui_webclient.crt
, rui_webclient.key
, and a copy of the cachain.pem
file as created in step 4 of this section to the /ssl/vsphere-client
directory on the vCenter Server Appliance. rui_webclient.crt
to vsphere-client.crt
by running the command:mv rui_webclient.crt vsphere-client.crt
rui_webclient.key
to vsphere-client.key
by running the command:mv rui_webclient.key vsphere-client.key
vsphere-client-ca-cert.pem
file by running the command:cp cachain.pem vsphere-client-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out vsphere-client.pfx –in vsphere-client.crt -inkey vsphere-client.key –name rui –passout pass:testpassword
vsphere-client.key
, vsphere-client.crt
, vsphere-client.pfx
, and vsphere-client-ca-cert.pem
to the /usr/lib/vmware-vsphere-client/server/SerenityDB/keys
directory with the cp
command. chmod 400 vsphere-client-ca-cert.pem vsphere-client.key vsphere-client.pfx
chmod 644 vsphere-client.crt
cd /etc/vmware-sso/register-hooks.d
./10-vmware-vsphere-client --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
service vsphere-client stop
service vsphere-client start
/usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client-ca-cert.pem
/usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.crt
/usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.key
/usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.pfx
rui_slapd.crt
, rui_slapd.key
, and a copy of the cachain.pem
file as created in step 4 of this section to the /ssl/slapd
directory on the vCenter Server Appliance.rui_slapd.crt
to slapd.crt
by running the command:mv rui_slapd.crt slapd.crt
rui_slapd.key
to slapd.key
by running the command:mv rui_slapd.key slapd.key
slapd-ca-cert.pem
file by running the command:cp cachain.pem slapd-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out slapd.pfx –in slapd.crt -inkey slapd.key –name rui –passout pass:testpassword
slapd.key
, slapd.crt
, slapd.pfx
, and slapd-ca-cert.pem
to the /etc/openldap/ssl
directory with the cp
command. chmod 400 slapd-ca-cert.pem slapd.key slapd.pfx
chmod 644 slapd.crt
chown ldap:root slapd.*
service vmware-vpxd stop
service vmware-vpxd start
/etc/openldap/ssl/slapd-ca-cert.pem
/etc/openldap/ssl/slapd.crt
/etc/openldap/ssl/slapd.key
/etc/openldap/ssl/slapd.pfx
rui_vami.crt
, rui_vami.key
, and a copy of the cachain.pem
file as created in step 4 of this section to the /ssl/vami
direcory on the vCenter Server Appliance.rui_vami.crt
to vami.crt
by running the command:mv rui_vami.crt vami.crt
rui_vami.key
to vami.key
by running the command:mv rui_vami.key vami.key
vami-ca-cert.pem
file by running the command:cp cachain.pem vami-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out vami.pfx –in vami.crt -inkey vami.key –name rui –passout pass:testpassword
cd /etc/vmware-sso/register-hooks.d
./10-vami --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
vami.key
, vami.crt
, vami.pfx
, and vami-ca-cert.pem
to the /etc/vmware-sso/keys
directory with the cp
command. chmod 400 vami-ca-cert.pem vami.key vami.pfx
chmod 644 vami.crt
cd /etc/vmware-sso/register-hooks.d
./10-vami --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
/etc/vmware-sso/keys/vami-ca-cert.pem
/etc/vmware-sso/keys/vami.crt
/etc/vmware-sso/keys/vami.key
/etc/vmware-sso/keys/vami.pfx
cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
rui_logbrowser.crt
, rui_logbrowser.key
, and a copy of the cachain.pem
file as created in step 4 of this section to the /ssl/logbrowser
directory on the vCenter Server Appliance. rui_logbrowser.crt
to rui.crt
by running:mv rui_logbrowser.crt rui.crt
rui_logbrowser.key
to rui.key
by running the command:mv rui_logbrowser.key rui.key
rui-ca-cert.pem
file by running the command:cp cachain.pem rui-ca-cert.pem
.pfx
file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
rui.key
, rui.crt
, rui.pfx
, and rui-ca-cert.pem
to the /usr/lib/vmware-logbrowser/conf
directory with the cp
command. chmod 400 rui-ca-cert.pem rui.key rui.pfx
chmod 644 rui.crt
cd /etc/vmware-sso/register-hooks.d
./09-vmware-logbrowser --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
/ssl/vpxd
folder (or the location where you stored the VPXD/SSO certificates), run this command to create a .pfx
that includes the SSO certificate (rui.crt
), SSO key (rui.key
), and the CA certificate (cachain.pem
):openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile cachain.pem -name "rui" -passout pass:testpassword -out ruiSTS.pfx
keytool -v -importkeystore -srckeystore ruiSTS.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeit
changeit
.admin@system-domain
. rui.jks
. changeit
as the password and click OK. The rui key chain is shown in the interface. changeit
. You see another chain added, and the certificate is available in the GUI. service vmware-inventoryservice stop
service vmware-inventoryservice start
service vmware-logbrowser stop
service vmware-logbrowser start
service vmware-vpxd stop
service vmware-vpxd start
/usr/lib/vmware-logbrowser/conf/rui-ca-cert.pem
/usr/lib/vmware-logbrowser/conf/rui.crt
/usr/lib/vmware-logbrowser/conf/rui.key
/usr/lib/vmware-logbrowser/conf/rui.pfx
rui_autodeploy.crt
and rui_autodeploy.key
to the /ssl/autodeploy
directory on the vCenter Server Appliance. rui_autodeploy.crt
to waiter.crt
by running the command:mv rui_autodeploy.crt waiter.crt
rui_autodeploy.key
to waiter.key
by running the command:mv rui_autodeploy.key waiter.key
waiter.key
and the waiter.crt
files to /etc/vmware-rbd/ssl
. chmod 644 waiter.crt
chmod 400 waiter.key
chown deploy:deploy waiter.crt waiter.key
/etc/init.d/vmware-rbd-watchdog stop
rm /var/vmware/vpxd/autodeploy_registered
service vmware-vpxd restart
/etc/vmware-rbd/ssl/rui.crt
/etc/vmware-rbd/ssl/rui.key