Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5
Article ID: 328587
Updated On:
Products
VMware
Issue/Introduction
Note: This article is specific to vSphere 5.1 and vSphere 5.5. If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).
This article guides you through the configuration of Certificate Authority (CA) certificates for vSphere Update Manager in vSphere 5.1 and vSphere 5.5. VMware has released a tool to automate much of the described process below. Please see Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600) before following the steps in the article.
If you cannot use the automation tool, proceed with this article for configuration steps and details for implementing custom certificates in your environment. The article also helps avoid common misconfigurations
You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components.
You cannot replace the SSL certificates that Update Manager uses on port 9087 when importing offline bundles or upgrade release files.
Resolution
Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate in the vSphere Update Manager
These steps must be followed to ensure successful implementation of a custom certificate for vSphere Update manager. Before attempting these steps, ensure that:
- You have a vSphere 5.x environment.
- You have completed the steps in Creating certificate requests and certificates for vCenter Server 5.1 components (2037432).
Installation and configuration of the certificate for the vSphere Update manager
To complete the installation and configuration of the certificate for vSphere Update Manager after the certificate has been created:
- Log in to the vSphere Update Manager server as an administrator.
- If you have not already imported it, double click on the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
- Backup the current certificates. By default, vSphere Update Manager stores its certificates in the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL directory.
- Copy the new certificate files to this directory replacing the current ones. If you are following the series of articles in the resolution path, the certificates are located in C:\certs\Update Manager.
- Stop the vSphere Update Manager Service and the vSphere Update Manager UFA services from the services control manager (services.msc).
- Launch the VMwareUpdateManagerUtility.exe application. By default, it is located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
- When prompted, enter the correct credentials to log in to the utility.
Notes:
- If the system becomes unresponsive and then fails and if vCenter Server is on the same system as vSphere Update Manager, try using 127.0.0.1:80 as the address for vCenter Server. If you cannot log in, file a Support Request with VMware Support and quote this Knowledge Base article ID (2037581) in the problem description. For more information, see Filing a Support Request in Customer Connect (2006985).
- If Update Manager is not installed on the same system as vCenter Server, the loopback address does not work. In this case, edit the hosts file located at c:\windows\System32\drivers\etc\ and add an alternate DNS name for vCenter Server. For example, if vCenter1.acme.com is the vCenter Server at 10.10.10.10, add 10.10.10.10 vc1.acme.com and use this alternate name to log in to the utility.
- If the system becomes unresponsive and then fails and if vCenter Server is on the same system as vSphere Update Manager, try using 127.0.0.1:80 as the address for vCenter Server. If you cannot log in, file a Support Request with VMware Support and quote this Knowledge Base article ID (2037581) in the problem description. For more information, see Filing a Support Request in Customer Connect (2006985).
- Click the SSL Certificate Link.
- Select the Followed and verified the steps option.
- Click Apply.
- Click OK when you see the message:
Restart the VMware vSphere Update Manager service to apply the setting
- Start the vSphere Update manager and vSphere Update Manager UFA services.
The configuration of the custom certificates for vSphere Update Manager is now complete. Next, continue to install the custom certificates for the ESXi Hosts. For more information, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
Additional Information
Feedback
Yes
No
Powered by
