• Default vCenter Server / VirtualCenter Server SSL Certificate have expired
• Environment uses an Internal Root Certificate Authority Server to sign new keys
• Hardware Status, Search Function, Storage View, and Performance Overview do not work
• In the vms.log file, located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs, you see the error:

I/O error: failed to decrypt safe contents entry: java.lang.ArithmeticException: / by zero

• In the sms.log file, located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs, you see the error:

The session is not authenticated

Requirements

• You need to install Microsoft Visual C++ 2008 Redistributable Package (x86) before installing OpenSSL.
  
  To download this package, see http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displayLang=en.
  
  
• You must also download and install Win32 OpenSSL v0.9.8r.
  
  To download this package, see http://www.slproweb.com/products/Win32OpenSSL.html.
  
  Notes:
  • Only use the version mentioned above, as this is currently the only supported version.
  • Ensure that Win32 OpenSSL is installed at c:\OpenSSL\bin\.
  • Ensure that the root CA certificate is added to the Trusted Roots for the Computer Account on each machine that is used to connect to the vCenter Server.
  • DNS is used for vCenter.
  • vCenter Server is part of the domain and the domain administrator has access to it.
  • You may need specify the environment variable for OpenSSL if running it from a different directory than the one specified here. For example, running the command set OPENSSL_CONF=<path>\openssl.conf specifies the path to the configuration file.

1. Create the folder C:\temp\vcenter\oldssl and back up the old SSL keys.
2. Create the folder C:\temp\vcenter\newssl to store the new SSL keys.
3. Verify that the private key exists in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key.
4. Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to the temporary location C:\temp\vcenter\oldssl.
5. Run this command to generate the new RSA private key (2048 bit) and the certificate request:
   
   Note: Ensure that the common name is the FQDN of the server.
   
   c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr
   
   You see an output similar to:
   
   Loading 'screen' into random state - done
   Generating a 2048 bit RSA private key
   .............................+++
   ......................................+++
   writing new private key to 'rui.key'
   -----
   You are about to be asked to enter information that will be incorporated into your certificate request.
   
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:CA
   State or Province Name (full name) [Some-State]:ONTARIO
   Locality Name (eg, city) []:Toronto
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:VMware
   Organizational Unit Name (eg, section) []:
   Common Name (eg, YOUR name) []:vcenter.maximum.local
   Email Address []:
   Please enter the following 'extra' attributes to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   
   Note: Answer all the prompts in this output.
   
   
6. Run the dir command to list the directory:
   
   C:\temp\vcenter\newssl>dir
   
   You see an output similar to:
   
   Volume in drive C has no label.
   Volume Serial Number is 204A-99B1
   Directory of C:\temp\vcenter\newssl
   04/16/2010 03:50 PM <dir> .
   04/16/2010 03:50 PM <dir> ..
   04/16/2010 03:50 PM 1,024 .rnd
   04/16/2010 03:49 PM 1,675 privkey.pem
   04/16/2010 03:50 PM 1,679 rui.key
   04/16/2010 03:50 PM 1,005 rui.cs
   
   </dir></dir>
7. From vCenter Server, open a web browser and browse to the certsrv URL for your Active Directory Certificate Authority.
8. Select Request a certificate, Advanced certificate request, and then Submit a certificate using base-64.
9. Paste the entire contents of the CSR (open in Notepad) in the Saved Request box and click Web Server for Certificate template. The certificate gets signed.
10. In the next page, select Base 64 encoded then click Download certificate.
11. Save the certificate as rui.crt in c:\temp\vcenter\newssl.
12. Run this command to create the PFX fie from the private key and certificate:
    
    c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
    
    

13. Open the rui.crt file in a text editor such as notepad.

14. Remove any data present before -----BEGIN CERTIFICATE-----.
    
    

    Note: The above step is not mandatory for legacy versions of vCenter Server, however in vCenter Server 5.1 if there is a certificate with information before the -----BEGIN CERTIFICATE----- section Java may present the error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate. Thus the registration of the service will fail. This has been known to occur with the vCenter Server upgrade failing with Error 26002. Unable to register vCenter Server to Inventory Service.
    
    

15. Stop the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services.
    
    To stop these services:
    1. Click Start > Run, type services.msc, and click OK. The Services window opens.
    2. Right-click the service and click Stop.
       
       
16. Copy all the files in the newssl directory to: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\, replacing the existing files in the directory.
17. Re-enter the DB password when prompted. For more information, see VirtualCenter Server Fails to Start After You Replace Default SSL Certificates with Custom SSL Certificates (1003070).
18. Restart the services in this order:
    
    • VMware VirtualCenter Server services
    • VMware VirtualCenter Management Webservices
      
      
19. Use a browser and navigate to the URL of vCenter Server. For example, https://vcenter.maximum.local.
20. Verify if the certificate is valid.

Note: After restarting the services, you must reconnect to the ESX/ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship must to be established.