Generating Domain Root CA signed certificates for vCenter Server
search cancel

Generating Domain Root CA signed certificates for vCenter Server


Article ID: 343600


Updated On:


VMware vCenter Server


This article provides the information on how to generate SSL Cert Keys and sign it with an internal Root CA, so that all components on vCenter Server work properly.

  • Default vCenter Server / VirtualCenter Server SSL Certificate have expired
  • Environment uses an Internal Root Certificate Authority Server to sign new keys
  • Hardware Status, Search Function, Storage View, and Performance Overview do not work
  • In the vms.log file, located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs, you see the error:
I/O error: failed to decrypt safe contents entry: java.lang.ArithmeticException: / by zero
  • In the sms.log file, located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs, you see the error:
The session is not authenticated


VMware vCenter Server 5.0.x
VMware vCenter Server 4.0.x
VMware vCenter Server 4.1.x
VMware VirtualCenter 2.5.x
VMware vCenter Server 5.1.x



  • You need to install Microsoft Visual C++ 2008 Redistributable Package (x86) before installing OpenSSL.

    To download this package, see

  • You must also download and install Win32 OpenSSL v0.9.8r.

    To download this package, see

    • Only use the version mentioned above, as this is currently the only supported version.
    • Ensure that Win32 OpenSSL is installed at c:\OpenSSL\bin\.
    • Ensure that the root CA certificate is added to the Trusted Roots for the Computer Account on each machine that is used to connect to the vCenter Server.
    • DNS is used for vCenter.
    • vCenter Server is part of the domain and the domain administrator has access to it.
    • You may need specify the environment variable for OpenSSL if running it from a different directory than the one specified here. For example, running the command set OPENSSL_CONF=<path>\openssl.conf specifies the path to the configuration file.
To generate SSL Cert Keys and sign it with an internal Root CA:
  1. Create the folder C:\temp\vcenter\oldssl and back up the old SSL keys.
  2. Create the folder C:\temp\vcenter\newssl to store the new SSL keys.
  3. Verify that the private key exists in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key.
  4. Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the temporary location C:\temp\vcenter\oldssl.
  5. Run this command to generate the new RSA private key (2048 bit) and the certificate request:

    Note: Ensure that the common name is the FQDN of the server.

    c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr

    You see an output similar to:

    Loading 'screen' into random state - done
    Generating a 2048 bit RSA private key
    writing new private key to 'rui.key'
    You are about to be asked to enter information that will be incorporated
    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:CA
    State or Province Name (full name) [Some-State]:ONTARIO
    Locality Name (eg, city) []:Toronto
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:VMware
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:vcenter.maximum.local
    Email Address []:
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Note: Answer all the prompts in this output.

  6. Run the dir command to list the directory:


    You see an output similar to:

    Volume in drive C has no label.
    Volume Serial Number is 204A-99B1
    Directory of C:\temp\vcenter\newssl
    04/16/2010 03:50 PM <dir> .
    04/16/2010 03:50 PM <dir> ..
    04/16/2010 03:50 PM 1,024 .rnd
    04/16/2010 03:49 PM 1,675 privkey.pem
    04/16/2010 03:50 PM 1,679 rui.key
    04/16/2010 03:50 PM 1,005 rui.cs

  7. From vCenter Server, open a web browser and browse to the certsrv URL for your Active Directory Certificate Authority.
  8. Select Request a certificate, Advanced certificate request, and then Submit a certificate using base-64.
  9. Paste the entire contents of the CSR (open in Notepad) in the Saved Request box and click Web Server for Certificate template. The certificate gets signed.
  10. In the next page, select Base 64 encoded then click Download certificate.
  11. Save the certificate as rui.crt in c:\temp\vcenter\newssl.
  12. Run this command to create the PFX fie from the private key and certificate:

    c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

  13. Open the rui.crt file in a text editor such as notepad.

  14. Remove any data present before -----BEGIN CERTIFICATE-----.

    Note: The above step is not mandatory for legacy versions of vCenter Server, however in vCenter Server 5.1 if there is a certificate with information before the -----BEGIN CERTIFICATE----- section Java may present the error: invalid DER-encoded certificate. Thus the registration of the service will fail. This has been known to occur with the vCenter Server upgrade failing with Error 26002. Unable to register vCenter Server to Inventory Service.

  15. Stop the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services.

    To stop these services:
    1. Click Start > Run, type services.msc, and click OK. The Services window opens.
    2. Right-click the service and click Stop.

  16. Copy all the files in the newssl directory to: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\, replacing the existing files in the directory.
  17. Re-enter the DB password when prompted. For more information, see VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates (1003070).
  18. Restart the services in this order:
    • VMware VirtualCenter Server services
    • VMware VirtualCenter Management Webservices

  19. Use a browser and navigate to the URL of vCenter Server. For example, https://vcenter.maximum.local.
  20. Verify if the certificate is valid.

Note: After restarting the services, you must reconnect to the ESX/ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship must to be established.