How to replace default SSL certificate for Vmware VCenter and ESXi hosts


You can replace the default self-signed ESXi and VCenter  SSL certificate from CLI. First of all you should get an SSL certificate file and also a key file. You need to upload them under a directory from the VCenter server.

Step 1: Check  your certificate file

The certificate file must contain intermediate and also root CA certificates. I added a simple example of the certificate  file below.

-----BEGIN CERTIFICATE-----
MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK
CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD
Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate
SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm
NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI
ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih
4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG
K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate
/Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC
TLqwbQm6tNyFB8c=
-----END CERTIFICATE-----

 

Step 2: Replace Certificate on  Vcenter Server

I added commands for VCenter Server Appliance. But the same operation can be performed for all VCenter Server solutions with same command sets.

vCenter Server 6.x Appliance:

/usr/lib/vmware-vmca/bin/certificate-manager

Windows vCenter Server 6.x:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

If you start operation without making a  change on the certificate-manager file, you probably get an error that  SAN mismatch problem.

Error: Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name

How to fix SAN mismatch  Problem?

Open certificate-manager with "vi"  command on appliance server  and  uncommend these  two lines. It will disable SAN  check for the certificate. This  bug  fixed  for VCenter  Appliance  6.5  Update 2.

#        if var.strip() in ['1']:
#            iscomparerequired = compare_certificate_san(oldcert, cert_file)

Then start certificate-manager command from  VCenter Server CLI.

1. Replace Machine SSL certificate with Custom Certificate

2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

File : /root/certificate/machine_name_ssl.cer

File : /root/certificate/machine_name_ssl.pem

Type  "Y" wait  for operation finished message.

root@casesup [ /usr/lib/vmware-vmca/share/config ]# /usr/lib/vmware-vmca/bin/certificate-manager

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.5 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1

Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 2

Please provide valid custom certificate for Machine SSL.
File : /root/certificate/machine_name_ssl.cer

Please provide valid custom key for Machine SSL.
File : /root/certificate/machine_name_ssl.pem

Please provide the signing certificate of the Machine SSL certificate
File : /root/certificate/machine_name_ssl.cer

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Command Output: /root/certificate/machine_name_ssl.cer: OK

Get site nameCompleted [Replacing Machine SSL Cert...]
casesup
Lookup all services
Get service casesup:c356f22f-9d44-4be4-91a9-0e4e305994f1
Update service casesup:c356f22f-9d44-4be4-91a9-0e4e305994f1; spec: /tmp/svcspec_Z11tuk
Get service casesup:f6dc9833-0041-4346-a043-2f4622011a81
Update service casesup:f6dc9833-0041-4346-a043-2f4622011a81; spec: /tmp/svcspec_fGNuRH
Get service casesup:e59448b5-34a9-4586-876d-33ed4ad4597f
Update service casesup:e59448b5-34a9-4586-876d-33ed4ad4597f; spec: /tmp/svcspec_GmpdIy
Get service 5cb25d97-ed0f-4215-9817-e3ac70452f5d
Update service 5cb25d97-ed0f-4215-9817-e3ac70452f5d; spec: /tmp/svcspec_JeEg_c
Get service 2d50a097-a767-47c6-8d2a-70665cca887d
Update service 2d50a097-a767-47c6-8d2a-70665cca887d; spec: /tmp/svcspec_KXowhM
Get service e6f4b9de-db1e-45dc-bbe0-e8ac142da937
Update service e6f4b9de-db1e-45dc-bbe0-e8ac142da937; spec: /tmp/svcspec_I0j6j3
Get service e97cf640-6ccc-486b-822a-f221c5742286
Update service e97cf640-6ccc-486b-822a-f221c5742286; spec: /tmp/svcspec_zN0DEY
Get service dbfd48c8-0ce6-4bb3-ad3d-c9213643c051
Update service dbfd48c8-0ce6-4bb3-ad3d-c9213643c051; spec: /tmp/svcspec_76ziZy
Get service 9f92637e-7272-44dd-917a-f188b9f772f9_com.vmware.vcops
Don't update service 9f92637e-7272-44dd-917a-f188b9f772f9_com.vmware.vcops
Get service 276ab509-f557-4b24-89cf-41191e8b2d40
Update service 276ab509-f557-4b24-89cf-41191e8b2d40; spec: /tmp/svcspec_CJOW1i
Get service 5b528658-6cd0-4dd3-baf2-233b65b4efed
Update service 5b528658-6cd0-4dd3-baf2-233b65b4efed; spec: /tmp/svcspec_xInvwq
Get service 3a8071dc-8b10-49dd-b01d-612f6fe9613d
Update service 3a8071dc-8b10-49dd-b01d-612f6fe9613d; spec: /tmp/svcspec_20We5A
Get service c23c5f80-5454-4c47-bbfe-3055ca930834
Update service c23c5f80-5454-4c47-bbfe-3055ca930834; spec: /tmp/svcspec_g5oUVY
Get service 4c175cc1-0834-44d2-8f82-eb6b9a69f625
Update service 4c175cc1-0834-44d2-8f82-eb6b9a69f625; spec: /tmp/svcspec_0ARLM1
Get service 77be3b9e-630a-4fb7-885f-cd3dbc1f5609
Update service 77be3b9e-630a-4fb7-885f-cd3dbc1f5609; spec: /tmp/svcspec_6xwF6S
Get service 7e5ceee2-7ff5-4a0f-9f2b-7fe95e00071e
Update service 7e5ceee2-7ff5-4a0f-9f2b-7fe95e00071e; spec: /tmp/svcspec_fAXLnn
Get service db96b53e-fdd6-4613-9135-af59f0788819_kv
Update service db96b53e-fdd6-4613-9135-af59f0788819_kv; spec: /tmp/svcspec_UEuzhB
Get service af7e468a-35e7-461b-99c5-633a033b1de1
Update service af7e468a-35e7-461b-99c5-633a033b1de1; spec: /tmp/svcspec_sEF7BW
Get service db96b53e-fdd6-4613-9135-af59f0788819
Update service db96b53e-fdd6-4613-9135-af59f0788819; spec: /tmp/svcspec_H5SgSc
Get service 8dcefb01-78fa-43c2-b19e-54fb6692a03b
Update service 8dcefb01-78fa-43c2-b19e-54fb6692a03b; spec: /tmp/svcspec_PKpiXD
Get service 3f7efe80-ac2d-439b-abd8-a9b183b0ec86
Update service 3f7efe80-ac2d-439b-abd8-a9b183b0ec86; spec: /tmp/svcspec_cVMvJz
Get service 74ace25f-f910-420e-b3c8-1a884884872f
Update service 74ace25f-f910-420e-b3c8-1a884884872f; spec: /tmp/svcspec_JHhSZO
Get service 9f92637e-7272-44dd-917a-f188b9f772f9
Update service 9f92637e-7272-44dd-917a-f188b9f772f9; spec: /tmp/svcspec_Xyd7NF
Get service db96b53e-fdd6-4613-9135-af59f0788819_authz
Update service db96b53e-fdd6-4613-9135-af59f0788819_authz; spec: /tmp/svcspec_E0d97H
Get service 81b4f815-0d81-4a73-8a9b-5a4ae6f8a39e
Update service 81b4f815-0d81-4a73-8a9b-5a4ae6f8a39e; spec: /tmp/svcspec_U5nAu3
Get service a703a6a6-bf29-49a1-bdbb-2e67b3be7390
Update service a703a6a6-bf29-49a1-bdbb-2e67b3be7390; spec: /tmp/svcspec_MFAeqF
Get service 02dfb9c8-405b-4d48-a7bc-4af60e79acf0
Update service 02dfb9c8-405b-4d48-a7bc-4af60e79acf0; spec: /tmp/svcspec_1zkBkn
Get service 9089ecef-85f5-40f7-8907-ffc635831071
Update service 9089ecef-85f5-40f7-8907-ffc635831071; spec: /tmp/svcspec_sMbqEE
Get service c82d011d-a60d-4f96-b720-07962e139625
Update service c82d011d-a60d-4f96-b720-07962e139625; spec: /tmp/svcspec_EpdGIM
Get service 6beffc52-654b-4b2a-967b-a46052f973e3
Update service 6beffc52-654b-4b2a-967b-a46052f973e3; spec: /tmp/svcspec_8WMDTb
Updated 29 service(s)
Status : 100% Completed [All tasks completed successfully]

Step 3: Replace Certificate on  ESXi  Server

a) Login  ESXi host shell

b)Check certificate  under  "/etc/vmware/ssl"

c)Backup current certificate which starts  with  rui*

#cd  /etc/vmware/ssl
#cp rui.crt rui.key_backup
#cp rui.key rui.crt_backup
#ls -lrt
total 32
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsanvp_castore.pem
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client_old.key
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client_old.crt
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client.key
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client.crt
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_castore_old.pem
-rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_castore.pem
-r--r--r-- 1 root root 229 Apr 18 01:38 openssl.cnf
-r-------- 1 root root 3211 Jun 28 23:53 rui.bak
-rw-r--r-- 1 root root 2551 Jun 28 23:53 castore.pem
-rw-r--r-- 1 root root 3169 Jun 28 23:53 iofiltervp.pem
-r-------- 1 root root 1708 Jul 9 06:15 rui.key_backup
-rw-r--r-- 1 root root 1460 Jul 9 06:16 rui.crt_backup
-rw-r--r-- 1 root root 3891 Jul 9 06:17 rui.crt
-r-------- 1 root root 3272 Jul 9 06:17 rui.key
[root@casesup:/etc/vmware/ssl]

 

d)Change  RUI.crt  And RUI.KEY

You should open file with "vi" then remove all certificates. After then import new ones.

e)Restart Management  Process

After you finished to add the certificate to the file named "rui.crt" and "rui.key"  then you should restart management agents. Also, host restart is another option. But if you don't want to restart host then you should connect ESXi console then press "F2", enter root password restart management agent under Troubleshooting. Please read the warning when you will restart management agent. All remote connections to this host will be closed when you start the operation.

 

Userful  Links:

ESXi  Host VMware Page

VCenter Server VMware Page

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me

3 Comments

  1. man your solution doesn't work for me and it has destroyed my cert manger file. its no longer works

Leave a Reply