Are you working with CA signed certificates in your vSphere environment? You might want to check out these recently published KB articles. They will definitely help understanding the whole process around installing and configuring them. (Thanks Simon for pointing these out!)
- Configuring CA signed certificates for VMware vCenter Server 5.0.x
http://kb.vmware.com/kb/2015421 - Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1
http://kb.vmware.com/kb/2036744 - Configuring CA signed SSL certificates for vSphere Update Manager in vCenter 5.1
http://kb.vmware.com/kb/2037581 - Creating certificate requests and certificates for the vCenter 5.1 components
http://kb.vmware.com/kb/2037432 - Configuring CA signed SSL certificates for vCenter SSO in vCenter 5.1
http://kb.vmware.com/kb/2035011 - Configuring CA signed SSL certificates for the Web Client and Log Browser in vCenter 5.1
http://kb.vmware.com/kb/2035010 - Configuring CA signed SSL certificates for the Inventory service in vCenter 5.1
http://kb.vmware.com/kb/2035009 - Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment
http://kb.vmware.com/kb/2015387 - Configuring CA signed certificates for ESXi 5.x hosts
http://kb.vmware.com/kb/2015499 - Configuring CA signed certificates for vCenter 5.1
http://kb.vmware.com/kb/2035005 - Implementing CA signed SSL certificates with vSphere 5.0
http://kb.vmware.com/kb/2015383 - Implementing CA signed SSL certificates with vSphere 5.1
http://kb.vmware.com/kb/2034833
the bottom four links seem to be broken.
‘We’re sorry, but this Document is not currently available. Try again in a few minutes.”
thanks, fixed
Do certificates with a chain of CAs work by now? When I tried two years ago, this type of certificates caused several problems. The real show stopper was, that deploying Windows templates was no longer possible. The administrator password given in the configuration wizard could not be decrypted(?) while configuring the OS on the new machine.
It’s a pity VMware didn’t already provide a single GUI utility to simplify the ssl process for their products.
vCert Manager
”In the meantime, Webster is building his own utility for SSL certificate management, called vCert Manager, which will allow completely automated management of SSL certificates in a vSphere environment.”
http://itknowledgeexchange.techtarget.com/server-virtualization/vmware-issues-sso-patch-new-ssl-documentation/
I wrote a series of blog posts on how to configure vCenter 5.1 with trusted SSL certificates: http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-1.html
What vmware provides in terms of a solution for SSL certs is a joke.
Its pity we pay them so much money and they expect you to do 100+ steps to insert a certificate!!
nod, this is why microsoft will eventually win the virtualisation war.
Stupid things like if the view connection server is installed before the composer the database doesn’t get initialised. seriously, VMWare need to wake up now.
installing certificates is dangerous and liable to render the vcenter unusable wih one wrong step.
and most normal people can’t fix it.
most customers want the darn thing to work straight away with the minimum of fuss.
Hi Guys,
I have found on one of sites (Dont remember where) a script which would take your certifactes and automaticly install int vCenter.
I have tested this on vCenter Linux appliance 5.1 (bases on SUSE SLES) with wildcard from godaddy (*.domain.com).
therefore i didint need to buy a seperate sertificate for each ‘component’ of vcenter, it all worked with same one.
here is the script:
http://pastebin.com/MFKcuWYX
some note:
##
# THIS PART ADDED BY BENNY SHTARK
#
# IMPORTANT!
# Create “A” record of IP of the server for the HOSTNAME first!
#
# 3 CERTIFICATE FILES WITH THIS SCRIPT SOMEWHERE ON VCENTER APPLIANCE
# USE WINSCP APP FOR EASY COPY FROM WINDOWS TO LINUX
# THEN RUN FOLLOWING:
#
# chmod +x chcert.sh
# ./chcert.sh .example.com ‘vmware’ ‘1server.crt,2inter.crt,3root.crt’ 4private.key .example.com
#
# of course, change replace with the server actual HOSTNAME
almost forgot,
on DISABLE SERVICES section, there are some services that are disabled by script, you may want to keep them running..
look for this line:
if [ ${DISABLE_UNDESIRED_SERVICES} -eq 1 ]; then
i think you want to comment this one:
chkconfig vmware-inventoryservice off
to leave vmware invetory working properly…
also,
for the 4 certificates please see this:
’1server.crt,2inter.crt,3root.crt’ certificate files, must have this in their header:
—–BEGIN CERTIFICATE—–
while 4private.key file must have this in its header (its another type of certificate file)
—–BEGIN RSA PRIVATE KEY—–