Configuring CA signed SSL certificates for vCenter components in vSphere 5.x
Note: Here I’m used Vmware certificate tool for custom certificate generation,Also we can use open SSL, below are the associated download link.
a ) Vmware Certificate Automation Tool Click
b ) Open SSL Click
1) Run updater.bat from the automation tool bundle. From the SSL Certificate Automation tool, select Option 2 to Generate Certificate Requests.
2) Select the option for the service you are generating the certificate request for.
3) Enter the information requested for the certificate request. By default the SSL Certificate Automation tool automatically populates much of the information required.
4) Save the CSR and the KEY on to the computer.
Repeat steps 2,3 and 4 until you have the CSR and KEY file for all the vcenter server components.
At the end of step 4, you should have the rui.csr and rui.key files located in each of the respective directories as specified for the different services.
5) After the certificate request is created, it must be given to the certificate authority for generation of the actual certificate.
For obtaining the certificate using the CSR file, please refer to “Obtaining the certificate” section in the following knowledge base article :
At the end of this step, we should have rui.crt for all the vcenter components along with root cert(Root64.cer) and intermediate certs(Root64-1.cer) if any.
6) Install the root certificate into the Trusted Root Certificate Authorities > Local Computer certificate store on each Windows system which has a service installed or which will be used to connect a client to the services. If you are using intermediate certificates you should install them into the Intermediate Certificate Authorities > Local Computer certificate store.
7) Create chain.pem file using the following steps :
a) Copy Root64.cer and Root64-1.cer to all the folders of the vcenter server components.
b) Open command prompt and navigate to the directory where the certificate file each vcenter component is saved.
For example : For single-sign ON, if the cert is located in c drive, then open command prompt and navigate to c:\certs\SSO
c) Run the following command to concatenate the certificate, intermediate certificate and root CA certificate to chain.pem.
Copy rui.crt+Root64.cer+Root64-1.cer chain.pem
This will create Chain.pem file in the following format :
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Intermediate Certificate
GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <—–Root Certificate
Now we have all the necessary files to deploy the SSL certs. Run the plan from the automation Tool. Provide required inputs as indicated by the plan and we should be able to deploy the certs without any problem.
For your future reference, you can also refer to the following knowledge base articles :
Thanks and Regards