Home > vCenter, VMware > vSphere 5 Certificates: 5 – Replacing the default vCenter 5 Web Client Server Certificate

vSphere 5 Certificates: 5 – Replacing the default vCenter 5 Web Client Server Certificate

February 28th, 2012

This is part 5 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

vCenter Server actually has three different components which need their certificates updated, vCenter ServervCenter Web Client Server and vCenter 5 Inventory Service. Initially I had only written the vCenter Server certificate steps but luckily Michael Webster (VCDX #66) keeps me on my toes and I’ve now added parts for the other two components.

You should have now created the default vCenter 5 server certificate files, replaced the default vCenter 5 Server certificate and can now go ahead and replace the vCenter 5 Web Client Server Certificate with the same new certificate files you have created.

On the vCenter Server navigate to C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\.

Make a backup copy of the SSL folder.

image

Copy the rui.crt, rui.key and rui.pfx files from C:\OpenSSL-Win64\bin into the into the vCenter Web Client Server SSL folder

image

Restart the VMware vSphere Web Client Service

You then need to re-register the Web Client plug-in with vCenter.

This can either be done from the Web Client Administration Tool by browsing to:

https://localhost:9443/admin-app/

but as I don’t like having to hassle with installing Adobe Flash on the vCenter Server I prefer to unregister and then register again with the command line tool.

Open a command prompt and change directory to:

C:\Program Files\VMware\Infrastructure\vSphere Web Client\scripts

To unregister the Web Client, run the admin-cmd script pointing to your vCenter Server and use an admin username and password

admin-cmd unregister https://lonvc01.lab.int:9443/vsphere-client lonvc01.lab.int lab\lab-svc-vc *password*

Type Y to unregister the vCenter Server system

Type Y to ignore the SSL Certificate for this operation.

image

To register the Web Client, run the admin-cmd script pointing to your vCenter Server and use an admin username and password

admin-cmd register https://lonvc01.lab.int:9443/vsphere-client lonvc01.lab.int lab\lab-svc-vc *password*

You then get prompted with a certificate warning. I haven’t been able to work out why as it seems to imply the new certificate is not trusted. This procedure does work though and when you check it at the end the trusted certificate has been used by the Web Client. Annoying, if anyone can explain I would appreciate it!

Type I to ignore the SSL error for this operation.

image

The certificate will has now been installed.

This can be checked by using a browser and navigating to the Web Client using the FQDN or DNS alias of the vCenter server rather than localhost so the certificate details match the client request:

https://lonvc01.lab.int:9443/vsphere-client/

image

Part 6 will show you how to replace the default vCenter 5 Inventory Service certificate.

  1. September 30th, 2012 at 04:12 | #1

    Just a FYI, under vCenter 5.1 the process is the same EXCEPT rather than reregistering the Web Client the “old” way (CLI scripts or admin-app webapp) you simply restart vCenter Single Sign On service. The vCenter Lookup Service is part of the vCenter SSO service, and it automatically registers the Web Client upon restart.

    Helpful series of posts. I always like posts like these over trudging through VMware documentation.

  2. Shantanu
    October 12th, 2012 at 07:46 | #2

    When I choose the option ‘A’ while registering web client service, i don’t get the certificate error after I LOGIN using web-client, if I choose option ‘I’ as mentioned in the post I don’t get the certificate error after entering the url “https://:9443/vsphere-client/” , but after I put in the credentials and press Enter the certificate error pops up. Maybe someone can second my experience here…

  3. faustn
    October 30th, 2012 at 16:31 | #3

    Hello,
    I have the same problem, I replaced every bit of certificate (with great help from these articles), but I always get a warning pop-up that the certificate is not trusted AFTER I log in at the web client.

    The first warning disappeared (before the login screen at the web client), when I replaced properly the default certificate with my self-signed ones. But, now I get a warning after log-in that is very annoying and I do not want to tell all my users that they have to install a certificate… since the point of replacing the certificate and pushing with Active Directory GPOs the certificate authority, was NOT to have warnings.

    I opened a vmware support request… still nothing…

    It helps to know that i’m not the only one with this problem.

    I will post it if WE solve this problem.

    Thanks again the people who wrotes these articles… ir helps because it is not a simple process !

  4. faustn
    October 30th, 2012 at 16:37 | #4

    Hi,

    Sorry first time posting… forgot to check the notify me box…

  5. faustn
    October 31st, 2012 at 15:17 | #5

    Hello Shantanu and the authors of the this GREAT 5-part series,

    I resolved the issue of replacing all the default certificates with self-signed certificates on vsphere 5 and still receiving a “WARNING SSL certificate is not trusted” after the vSphere Web client login…

    UNREGISTER the vcenter server in the web client admin interface :
    https://fqdnvcenterserver:9443/admin-app/#

    REGISTER the vcenter server again, but when it prompts the WARNING for the certificate, CLICK the Box to “Install this certificate”…

    The result will show the vcenter server registered and the SSL Emprint key that should correspond to the one of your new certificates that you generated and installed before.

    To the AUTHORS of these articles, if you want to ajust the part 5 (replacing the defualt vcenter 5 web client…), the step when you re-register the Web-client pug-in with vcenter… instead of “Type I to ignore the SSL operation…” it should be choose to INSTALL the certificate..

    I don’t know if you can to it through the command-line (probably), but if not, all you have to do is use the GUI interface to REGISTER the plug-in (https://fqdnvcenter:9443/admin-app/#)

    Hope this helps someone !
    Thanks to Shantanu (who gave me the idea of trying to install the certificate – even though I replace the certificate files) and to the authors of the 5 parts series.

  6. WoodITWork
    November 1st, 2012 at 16:00 | #6

    Hi @faustn , thanks for sharing your experiences.
    If you are getting certificate trusting issues makes sure the root CA or intermediate certificate is installed on all servers. This is explained in Step 2 Distributing the root CA certificate to clients http://www.wooditwork.com/?p=2671

    You shouldn’t have to install any certificates with this method as it will be automatically distributed by AD.

  7. faustn
    November 1st, 2012 at 16:10 | #7

    Hello,

    Thanks for your reply.

    Unfortunatly I did follow all the parts of the series, and it worked great except for the web client.

    I mean that the warnings that I was receiving before replacing the certificates on all components and trusting the CA root… for example, I was receiving a warning when I opened the vSphere Client, then when I started the vSphere Web client (BEFORE the LOGIN) I received a warning.

    Then, after I replaced the certificates and push the trusted CA through GPO… it worked and these warnings disappeared… but I received a new one from the vSphere Web client AFTER I LOG IN, it’s this one that I resolved by installing it when I re-register the vcenter in the web client.

    I know, it doesn’t make any sense… that’s what I told vmware, but the thing is that by doing at least I don’t have to see to all my users (about 300), to install the certificate when they login to the vsphere web client.

    I believe this is bug from vmware… since it is not a 1-2-3 process to replace the certificate… I hope that the future version will be easier regarding to manage the certificates.

    Thanks.

  8. Shantanu
    November 1st, 2012 at 18:43 | #8

    @faustn
    Thanks everyone for sharing their valuable inputs and yes I agree with faustn, replacing certificates on the vCenter is no child’s play. Hadn’t been this article wouldn’t have implemented Certificate based security in our environment.

    I would also want to ask any of our authors if they could provide some instruction set similar to this article in configuring certificates for ESXi hosts and any third party plugins for example:- Dell Management Plugin, HP Insight Plugin, EMC Storage Plugin?

  9. Shane Williford
    December 21st, 2012 at 13:05 | #9

    I really appreciate this series Julian..have used it a few times and shared it with others 🙂

    @Shantanu – since this thread is about certs, probably outside the scope of what they want to share. But, to assist you in installing a driver or plugin on a Host (currently installed Host or not-yet-installed Host), see this VMware KB: http://kb.vmware.com/kb/2005205

    From a high-level, the basic principle to do so is the following:
    1. Copy .zip that contains the plug-in vib on a datastore accessible by each Host wanting to install the plug-in on. This can be done using the vSphere Client > Upload File toolbar icon in the Datastore Browser
    2. Putty to your Host, or use another SSH Tool (vCLI, vMA, etc.)
    3. Place Host in Maintenance Mode, then run the following esxcli command:
    a. esxcli software vib install –d /vmfs/volumes/datastore/plugin-offline-bundle.zip
    4. Reboot the Host and exit Maintenance Mode

    Regards.
    Shane (@coolsport00)

  10. Ricardo
    August 2nd, 2013 at 19:31 | #10

    Hello

    Really nice series !!! Thanks for the reference !

    Anybody knows if is mandatory replace the SSL Certificates of ESXi Servers after you have replaced the default vCenter Server Certificate ?
    Thanks.

    • WoodITWork
      August 5th, 2013 at 12:57 | #11

      No it isn’t, you can continue to have untrusted ESXi hosts with a trusted vCenter.

  11. Irina
    April 4th, 2014 at 15:34 | #12

    Hi,

    Trying these steps for vcenter 5.5 U1 I found out that the default certificates
    for the web client are in C:\ProgramData\VMware\vSphere Web Client\ssl, not in
    C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\SSL.

    Thank you to the author for sharing his knowledge.

  1. No trackbacks yet.
Comments are closed.