Home > Update Manager, vCenter, VMware > vSphere 5 Certificates: 7 – Replacing the default Update Manager 5 Server Certificate

vSphere 5 Certificates: 7 – Replacing the default Update Manager 5 Server Certificate

November 30th, 2011

This is the final post of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default Update Manager 5 Server Certificate

VMware Update Manager uses a different self-signed certificate to authenticate against vCenter Server which also needs to be replaced. You can use the same vCenter certificate if the Update Manager installation is on the same server as vCenter or create and trust a new certificate using the same procedure with the Update Manager server name if it is on another server.

On the Update Manager Server navigate to the Update Manager installation directory C:\Program Files (x86)\VMware\Infrastructure\Update Manager.

Make a backup copy of the SSL folder.

image

Copy the same rui.crt, rui.key and rui.pfx certificate files you created as part of the vCenter Server certificate process into the SSL folder if Update Manager is on the same server else use the other ones you have created.

Image(1)_thumb


Launch the Update Manager Utility which is located:

C:\Program Files (x86)\VMware\Infrastructure\Update Manager\VMwareUpdateManagerUtility.exe

Log into vCenter with an administrative account.

image

Select SSL Certificate

image

The steps listed are for creating the certificates and copying the files which have already been done.

Select Followed and verified the steps and click Apply.

image

The configuration change will be applied.

When complete, you will see a dialog box.

image

Restart the VMware vSphere Update Manager Service to complete the certificate change.

You can confirm the certificate has been installed successfully by re-launching the vSphere client and ensuring you no longer get any certificate warnings for the vCenter Server and Update Manager (you may still get warnings for other vCenter components and plug-ins which use different certificates).

Once complete you have successfully created your own Root Certificate Authority, deployed the root CA certificate to your clients and created and replaced the default certificates for VMware vCenter, Web Client ServerInventory Service and Update Manager.

  1. pricemc1
    May 31st, 2012 at 14:33 | #1

    Nice series. Any chance you do an additional article on replacing the default Auto-Deploy certificate as well? The docs are wonderfully lacking on the detailed procedures for this.

  2. September 30th, 2012 at 04:31 | #2

    To close the loop on my earlier reply, with the exception of the Web Client certificate (which differs only at the end) the process is the same for replacing all these certificates under vCenter 5.1.

  3. athlon1982
    October 27th, 2012 at 09:45 | #3

    After change the certificates with this guide, everything is working fine except the Windows XP clients that couldn´t connect with the vCenter 5.0 with the vClient 5.0 showing errors about connection failed, too long to respond, system out of memory… any idea? We delete the regystry key http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010955 but after reapliying the cert the issue is still there, any idea?

  1. No trackbacks yet.
Comments are closed.