The following is a documentation of the steps necessary to replace the default self-signed certificates used by the most popular VMware virtualization product suites with certificates issued by trusted CAs (i.e. SSL certificates obtained from your internal Microsoft Active Directory-based CA infrastructure, or ones you purchased from any of the public, third-party commercial Certification Authorities).
The steps discussed here are based largely on the works of several people, spearheaded by Michael Websters and documented in several (revamped) guides published by VMware. My focus in reproducing them here is to attempt to present the same information in a slightly different format that I have found to be very useful in the field, especially for the typical system administration. I call this format the “Cheat Sheet” approach – a type of “just the facts, ma’am” approach. You could call it a “walk-through” approach if you prefer a more elegant term.
We are going to be working with a VMware vCenter 5.1 / vSphere 5.1 infrastructure in this version of the documentation. Versions prior to this will be the subject of a future blog entry.
At the end of the process documented here, you will have updated the SSL certificates used by the following VMware products with real, CA-based certificates and confirmed that your infrastructure is functional (at least from SSL functionalities point of view):
- vCenter Single Sing-On Server
- VMware Log Browser Service
- vCenter Web Client Service
- vCenter Server
- vCenter Inventory Service
- vCenter Update Manager
- vSphere Server (aka ESXi Host)
I have made some rather liberal assumptions in the configuration scenario presented in this documentation, so I think I owe you a brief description of the prototypical infrastructure on which the instructions included here is based. It is assumed (no, it is EXPECTED) that you will be able to adjust the steps to match your own specific configurations, if they differ from the following scenario:
- The infrastructure is already in production AND functional
- The “Simple Install” option was NOT used for installing the vCenter components
- The vCenter Single Sign-on Server is installed on a server SEPARATE from the one on which the vCenter Server is installed
- The Log Browser Service is installed on the Single Sign-On Server
- The vCenter Web Client Server is installed on the Single Sign-On Server
- The Inventory Service is installed on the vCenter Server
- The vCenter Update Manager is installed on the vCenter Server.
Let’s present all that in a slightly different format, for clarity:
| Server Name | sso-server01 | vcenter-01 | esx-01 |
| Roles on Server | Single Sign-On | vCenter Server | vSphere Host |
| Log Browser | Inventory Service | ||
| Web Client | Update Manager |