Accessing a vCenter Server using Web access or vSphere Client fails with an SSL certificate error
Article ID: 305771
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Accessing vCenter Server using Web access or vSphere Client fails
- You see the error:
Security Warning
Certificate Warnings
An untrusted SSL certificate is installed on "vCenter_FQDN" and secure communication cannot be guaranteed. Depending on your security policy, this issue might not represent a security concern. You may need to install a trusted SSL certificate on your server to prevent this warning from appearing.
Click Ignore to continue using the current SSL certificate.
Environment
VMware vCenter Server 4.0.x
Resolution
This issue occurs if the self-signed certificate of the vCenter Server is not trusted or the FQDN or shortname of the vCenter Server changed after the initial installation.
To resolve this issue, you must create a self-signed certificate for your vCenter Server.
Note: If you are using custom or CA signed certificates, see Replacing vCenter Server Certificates.
To create a self-signed certificate:
- Download and install OpenSSL from http://gnuwin32.sourceforge.net/packages/openssl.htm.
Note: The preceding link was correct as of June 02, 2010. If you find the link is broken, provide feedback and a VMware employee will update the link.
- Create a folder named openssl in C:\
- Open command prompt and navigate to C:\Program Files\GnuWin32\bin.
Note: You may need to run the command prompt as administrator in order for the below commands to work. - Run these commands to create the SSL certificates:
openssl genrsa 1024 > c:\openssl\rui.key
openssl req -new -key c:\openssl\rui.key > c:\openssl\rui.csr -config "C:\Program Files\GnuWin32\share\openssl.cnf"
Note: Provide necessary information about the certificate, such as country, organization, name, and email ID and provide the FQDN or Netbios name in the Common Name field of the vCenter Server. You do not have to specify a passkey in this step.
openssl x509 -req -days 730 -in c:\openssl\rui.csr -signkey c:\openssl\rui.key -out c:\openssl\rui.crt
openssl pkcs12 -export -in c:\openssl\rui.crt -inkey c:\openssl\rui.key -passout pass:testpassword -out c:\openssl\rui.pfx - To replace the certificates on vCenter Server:
- Copy the existing rui.key, rui.crt, and rui.pfx files from C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\ to a backup folder.
- Copy the custom rui.key, rui.crt, and rui.pfx files to C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\.
Note: In Windows Server 2008, copy the files to C:\ProgramData\VMware\VMware VirtualCenter\SSL\.
-
- Stop the VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).
- To reset your database password, browse to the root directory of your vCenter Server installation, and run the command:
vpxd.exe –p
When prompted for your new password, enter your existing database password. When prompted to confirm your password, reenter the password. - Restart the VirtualCenter Server service. For more information, see Stopping, starting, or restarting vCenter services (1003895).
- To install the certificate into the trusted root CAs on the vCenter Server:
- Double-click the rui.crt file located at C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\.
- Click Install Certificate and click Next and Next.
- Select Place all certificates in the following store.
- Select the Trusted Root Certification Authorities certificate store.
- Click OK, Next, Finish, and Yes.
-
- Log in to vCenter Server using your new certificate.
- If your ESX hosts are showing as disconnected, right-click on the host, follow the prompts, and connect the host using the root credentials.
Additional Information
Attachments
Feedback
Yes
No
Powered by
