One of the most common things we see in VMware Global Support Services (GSS), regardless of product, version, or customer, is the need to implement custom certificates. This could be for a number of reasons:
- Security
- To get rid of the warning when you first login
- You like a challenge
Whatever the case may be, in vSphere 5.1, the process has changed due to the addition of vCenter Single Sign On (SSO), which adds complexity to the procedure. This is because the majority of services register themselves to SSO. As a result of changing the certificates, the services also need to be re-registered.
As a result of repeated question from customers coming in on this, we gathered our Professional Services, Engineering, and Technical Writers to develop the following Resolution Path to guide you through the various steps through to completion (you can read more about resolution path articles here).
Resolution Path Article:
Child articles in the resolution path are:
- Creating certificate requests and certificates for the vCenter 5.1 components (2037432)
- Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1 (2035011)
- Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1 (2035009)
- Configuring CA signed certificates for vCenter 5.1 (2035005)
- Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1 (2035010)
- Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1 (2037581)
- Configuring CA signed SSL certificates with ESXi 5.x hosts (2015499)
Note: It is recommended that you follow the articles in the sequence provided as many steps are dependent on each other.
We have also created an article with the steps for vCenter Server Appliance 5.1:
Finally, we have updated these vSphere 5.0 articles thanks to feedback received on them:
- Implementing CA signed SSL certificates with vSphere 5.0 (2015383)
- Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387)
- Configuring CA signed certificates for VMware vCenter Server 5.0.x (2015421)
- Configuring CA signed certificates for ESXi 5.x hosts (2015499)
Note: The vCenter Service fails to start up issue is now resolved in vCenter Server 5.1.0a. For more details, refer to KB article:
vCenter Server Services hang on startup after upgrading to vCenter Server 5.1 (2035623).
We hope that this helps everyone through their SSL implementation. If you find any errors or anomalies, there’s a feedback form at the bottom of every article. We will be keeping an active eye on your feedback!
The OBVIOUS no-brainer solution is for the vCenter install ITSELF to check whether the server or whatever has the ability to create Windows certs, then offer this option to the user, plus the option to obtain software for and create Open SSL certs.
The obvious 3rd-party market is something that automates the above processes for people.
VMware should be doing this for us if they insist on this excessively complicated cert system.