How to manage SSL certificates for VMware vCenter Converter and VMware vCenter Converter Standalone
search cancel

How to manage SSL certificates for VMware vCenter Converter and VMware vCenter Converter Standalone

book

Article ID: 337359

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Although the vCenter Converter installs SSL certificates by default, for better security you can replace these certificates with your own ones. If you want to improve the security of the Converter client – server communication, you need to install the SSL certificates on the Converter server. If you want to improve the security of the Converter server – agent communication, you need to install the SSL certificates on the Converter agent. You can create, sign, and install your own certificates, or you can use certificates issued by commercial CA (Certificate Authorities), such as Thawte or VeriSign.

If you have no certificates issued by a trusted CA, you need to create a new SSL certificate signed by a local CA and then install the CA for Converter server and agent services on the corresponding machines.

For more information about using openssl for generating a local CA and to find a sample openssl.cnf configuration, read the Replacing vCenter Server Certificates guide.

NOTE: When you install SSL certificate on a Converter server, the certificate's “Common name” attribute must match the DNS or the IP (depends which you use for connection) of the host, on which the Converter server is installed. If you want to install the SSL certificate on a Converter agent, the certificate’s Common name” attribute must match the DNS or the IP of the host, on which the Converter agent is installed.


Resolution

1. Install the local CA for Converter server and agent services on the corresponding machines by using the “mmc” console. Example flow for Converter Server Standalone service on Windows 2003:
  1. From the Start menu, click Run and type mmc”. The MMC console opens.
  2. From the File menu of the MMC console, click Add/Remove Snapin.
  3. Click Add and select Certificates.
  4. Click Service account (computer account) and click Next.
  5. Click Local computer.
  6. Select VMware vCenter Converter Standalone Server.
  7. Click Finish.
  8. In the Console Root tree, right-click the “Certificates – Service (VMware vCenter…)” item and select All tasks > Import. Follow the wizard to add the CA certificate you have generated.
  9. Repeat steps 2-8 for the Local Computer account as well. On step 5, select Computer account instead of Service account.
2. Replace the certificate and key files (rui.crt and rui.key) in the Converter server or agent directory installation folder. SSL certificates are stored in the following directories:
  • For Converter Standalone server: %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Standalone\ssl
  • For Converter Standalone agent: %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Standalone Agent\ssl
  • For VMware vCenter Converter Integrated server: %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter\ssl
  • For VMware vCenter Converter Integrated Agent: %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Agent\ssl

    NOTE: For post Vista operating systems, the VMware folder is located directly under %ALLUSERSPROFILE%.

3. Restart the Converter agent, worker, and server services.

Now, you must be able to connect to the remote vCenter Converter Standalone server without receiving a warning for an SSL certificate error.

If you have installed certificates for vCenter Converter Standalone agent, you must be able to perform remote hot-clone of that machine without seeing a warning for a SSL certificate error in the Source Machine page of the Convert Machine wizard.
Powered by Wolken Software