Creating PEM files – this is another prerequisite (still before start using the automation tool !!!). The PEM files are certificate chain files for each certificate.
- Create a new file called chain.pem in each of the subfolder which represents the vcenter services (there is 7 in total)
- Open rui.crt file in notepad and copy paste the content into the chain.pem > open Root64.cer file and copy paste right after into the chain.pem without ANY whitespace in between.
- Rinse and repeat for each of the 7 vCenter component services……!!!
Using the VMware SSL Certificate Automation Tool
You'll need to shut down any dependent solutions which are running in the environment:
- VMware Site Recovery Manager, vSphere Data Recovery, vCloud Director
Fist of all, depending of your environment, install the VMware Certificate Automation tool on each of the vCenter component (if you have multiple VMs or servers). In my lab I have All-in-One solution based on 2008R2SP1. You can still execute the initial planning step on single machine.
- Unzip the tool to a directory on each vCenter component VM. I've unzipped mine to the c:\SSLAutomationTool1.0
- Use notepad and open the ssl-environment.bat to enter the values for your environment. You basically follow the guide and fill in the different folders, subfolders, with files.
- Open elevated command prompt > CD to the c:\SSLAutomationTool1.0 > and execute the ssl-environment.bat from command prompt.
Run the planner – while still in the CMD, you can run the ssl-updater.bat
- If you have multi VMs with multiple vCenter services in your environment, you'll have to run this command from each of those VMs.
- Choose 1. Plan your steps to update SSL Certificates. You'll see screen like this one where you're presented with 9 menus. I choosed number 8 to update All services.
- The planner shows you what you'll need to accomplish….(wow 18 steps !!!!)
This is the output. you'll have to follow EACH of THOSE STEPS in the right order…
1. Go to the machine with Single Sign-On installed and – Update the Single Sign-On SSL certificate.
2. Go to the machine with Inventory Service installed and – Update Inventory Service trust to Single Sign-On.
3. Go to the machine with Inventory Service installed and – Update the Inventory Service SSL certificate.
4. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Single Sign-On.
5. Go to the machine with vCenter Server installed and – Update the vCenter Server SSL certificate.
6. Go to the machine with vCenter Server installed and – Update vCenter Server trust to Inventory Service.
7. Go to the machine with Inventory Service installed and – Update the Inventory Service trust to vCenter Server.
8. Go to the machine with vCenter Orchestrator installed and – Update vCenter Or chestrator trust to Single Sign-On.
9. Go to the machine with vCenter Orchestrator installed and – Update vCenter Or chestrator trust to vCenter Server.
10. Go to the machine with vCenter Orchestrator installed and – Update the vCenter Orchestrator SSL certificate.
11. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Single Sign-On.
12. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to Inventory Service.
13. Go to the machine with vSphere Web Client installed and – Update vSphere Web Client trust to vCenter Server.
14. Go to the machine with vSphere Web Client installed and – Update the vSphere Web Client SSL certificate.
15. Go to the machine with Log Browser installed and – Update the Log Browser trust to Single Sign-On.
16. Go to the machine with Log Browser installed and – Update the Log Browser SSL certificate.
17. Go to the machine with vSphere Update Manager installed and – Update the vSphere Update Manager SSL certificate.
18. Go to the machine with vSphere Update Manager installed and – Update vSphere Update Manager trust to vCenter Server.
- Return to the main menu by choosing menu 9.
So here we goes. I go and choose the Menu 2: Update Single Sign-On
Before proceeding any further I'm backing up my vCenter with Veeam, and I also create a temporary snapshot of my vCenter VM, as all the all the vCenter “roles” are on the single vCenter VM…. !!!!! It's a very simple precaution if in any case something goes wrong, I can easily revert the snapshot or restore the backup….
Ok, we continue our adventure with SSL certificates and VMware (semi) Automated SSL replacement tool…
I go for the Menu 1 in the Update the Single Sign-ON SSL Certificate... (as on the screenshot above).
It seems that everything went smoothly and my certificates has been updated. On the screenshot below you see one of the steps – The Update of Inventory service trust to Single Sign-On went fine. The rest of the steps went fine as well, and at the end I could just exit the SSL-updater tool.
Wrap Up:
This tool helps, but not as it could be used flawlessly by anyone. To do all the tasks and steps it takes some huge amount of time. I really hope that VMware will provide better tool with the second release of this tool…. (wish wish…).
As said in the beginning of the post, this article was my try on certificates, by following the KB from VMware. I would highly recommend that VMware:
- Improves this tool so anyone can use it with less manual steps…
- Provide educational videos which would explain better the steps taken
Sources:
- Generating certificates for use with the VMware SSL Certificate Automation Tool (2044696)
- Deploying and using the SSL Certificate Automation Tool (2041600)
Great write-up. For those that want a more automated approach, I’ve written a script that handles certificate generation when using a Windows PKI with automatic certificate approval.
http://www.rivnet.ro/2013/04/automate-replacing-of-certificates-in-vcenter-5-1.html
After using the tool, the steps from your blog post apply.
Nice. Thanks for sharing.
Vlad, in your experience, does the tool behave differently based on how you’ve upgraded vcenter? We started off with 4, upgraded 5.0…then skipped 5.1 (introduction of SSO), then upgraded from 5.0 to 5.5.
I believe many of the file paths may be different with this way we upgraded as it isn’t “typical”. I spent 4 hours most was once I got to the 3rd SSL Cert to replace (vcenter cert). I was trying to fix the vcenter SSL cert getting various errors and looking up several KB articles to the point where I just gave up and reverted my snapshot. I did not have a good feeling about how it was going and am actually considering burning it down and reinstalling fresh.
We are currently in a state where the SSO and Inventory certs were replaced, but the rest aren’t.
thoughts?
It’s a post from April 2013. Many things has changed since. Shall you get the latest utility from VMware or perhaps test third party scripts, like the ones from Derek Seaman’s blog. The write up was done on simple lab environment which in that time (I guess) was running 5.1. So I can’t really give you direct answer on that.
hi,
vladen,
I read your article and i impressed your way of explaining.
i have a question for u.if you kindly answer to these question .it will much appreciated.
1. Can we install 2012 server on virtual machine and then then we can install vCenter on this VM machine
and this should not be domain controller.my setup is like this:
1.2 Two esxi machines Esxi1 andEsxi2 with 24 port hp switches. vsphere 5.5 on my client machine on same subnet or same network,but i am confused.
where can i install Vcentre .Either on vsphere client machine or make anotherVM machine on my esxi hypervisor and give name vcenter machine and install 2012 server on that machine and then give static ip address connected to sql2012 server for SSO.is this the way or any other way.
Please let me know .much appreciated.
regard,
was