Certificate warning is reported even after replacing vCenter Server 5.0 default SSL certificates with custom SSL certificates
Article ID: 308418
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- Certificate Warnings dialog is displayed even after you replace vCenter Server 5.0 default SSL certificates with custom SSL certificates
- After logging in to vCenter Server, you see a Certificate Warning message
- Custom SSL certificates are installed and located in the vSphere vCenter Server SSL directory located at C:\Program Files\VMware\Infrastructure\VirtualCenter Server\SSL
- Disabling vCenter Server plug-ins, such as VMware Update Manager, vCenter Service Status, and vCenter Hardware Status, does not resolve the issue
Environment
VMware vCenter Server 5.0.x
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.0
Cause
This issue occurs if the VMware Inventory service in vCenter Server 5.0 does not use the default vCenter Server SSL directory.
Resolution
Ideally before you replace the SSL certificates, you should log into vCenter Server and check that all the services linked with Web Services are working, such as Hardware Status Tab, vCenter Service Status, and also Profile Driven Storage.
Note:You may have to reconnect all your hosts if you are updating vCenter SSL certs before the host certs. (if you change the SSL certificates on the ESX hosts first, then you will not need to reconnect the hosts once vCenter certificates are updated)
See the below steps to prevent further vSphere Web Client SSL pop up messages:
If you click Install this certificate and click Ignore to continue, it will not prompt you again on this system.
In addition to this you will need to unregister the vCenter Server system on the vSphere Web client using the admin-app url, and then re-register it again. To do this, see the following steps:
Note:You may have to reconnect all your hosts if you are updating vCenter SSL certs before the host certs. (if you change the SSL certificates on the ESX hosts first, then you will not need to reconnect the hosts once vCenter certificates are updated)
- To replace the default certificate files with the new ones, copy the custom SSL certificates (rui.key, rui.crt, rui.pfx) to the below vCenter Server, vSphere Web Client and VMware Inventory Service SSL directories.
It is recommended to first backup the below SSL certificate files, before replacing the files. On vCenter Server 5.0, when replacing the default certificates with the generated ones, the files above need to be copied into the following directories.
Note: For information on replacing customer SSL certificates in Update Manager. see: Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility (1023011)
Windows 2003 vCenter:
- C:\Documents and settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL
- C:\Program Files\VMware\Infrastructure\VMware VirtualCenter\SSL
- C:\Users\All Users\VMware\VMware VirtualCenter\SSL
- C:\ProgramData\VMware\VMware VirtualCenter\SSL
- C:\Program Files\VMware\Infrastructure\Inventory Service\ssl
- C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\ssl
- You can use the vCenter Server Managed Object Browser to load the new SSL Certificates into memory
- To access the MOB, browse to the following location from the vCenter Server, https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 and when prompted enter a vCenter Administrator username and password.
- In the Web page, under Methods, click reloadSslCertificate. A popup browser window appears.
- Click Invoke Method. The Method Invocation Result: void message appears on the Web page.
- On vCenter server, open a command prompt to the directory where the vCenter software is installed and execute the following command: vpxd -p
When prompted enter the database password , this will reset the db password after the new certificate, which will allow all the web services to access it. You should enter the existing password, not a new password at this point.
- Stop and then restart the VMware VirtualCenter Server service, which will in turn restart vCenter Management Web Services, Inventory, and Profile Driven Storage Services.
Note: A vCenter reboot may be required to load the certificates into vCenter
- Log into vCenter Server and verify that all Host Status Tab’s are working, the vCenter Service Status is functioning, all services are running correctly, and the Profile Driven Storage configuration is accessible and working
Note: The vSphere Web Client will pop up the below warning box the when you attempt to log in with the vSphere Web Client.
An untrusted SSL certificate is installed on "vCenter_FQDN" and secure communication cannot be guaranteed.
See the below steps to prevent further vSphere Web Client SSL pop up messages:
If you click Install this certificate and click Ignore to continue, it will not prompt you again on this system.
In addition to this you will need to unregister the vCenter Server system on the vSphere Web client using the admin-app url, and then re-register it again. To do this, see the following steps:
- Log into the vSphere Web Client system using RDP
- Open a web browser to https://localhost:9443/admin-app
- Check if the vCenter Server is registered
- Click Unregister at the top-right corner of the page
- Click Register and fill in the required fields.
Once the vCenter System is registered with the new thumbprint the warning dialog box should not be displayed again.
Additional Information
Feedback
Yes
No
Powered by
