WoodITWork.com

It's about time I let the world know what I was thinking...

vSphere 5 Certificates: 5 - Replacing the default vCenter 5 Web Client Server Certificate

By Julian Wood
certificatesupdatemanagervcentervmware-2

This is part 5 of a 7 part post on managing vSphere 5 Certificates:

  1. Installing a Root Certificate Authority
  2. Distributing the root CA certificate to clients
  3. Creating the default vCenter 5 Server Certificate and including a DNS alias
  4. Replacing the default vCenter 5 Server Certificate
  5. Replacing the default vCenter 5 Web Client Server Certificate
  6. Replacing the default vCenter 5 Inventory Service Certificate
  7. Replacing the default vSphere Update Manager 5 Server Certificate

vCenter Server actually has three different components which need their certificates updated, vCenter ServervCenter Web Client Server and vCenter 5 Inventory Service. Initially I had only written the vCenter Server certificate steps but luckily Michael Webster (VCDX #66) keeps me on my toes and I’ve now added parts for the other two components.

You should have now created the default vCenter 5 server certificate files, replaced the default vCenter 5 Server certificate and can now go ahead and replace the vCenter 5 Web Client Server Certificate with the same new certificate files you have created.

On the vCenter Server navigate to C:\Program Files\VMware\Infrastructure\vSphere Web Client\DMServer\config\.

Make a backup copy of the SSL folder.

image

Copy the rui.crt, rui.key and rui.pfx files from C:\OpenSSL-Win64\bin into the into the vCenter Web Client Server SSL folder

image

Restart the VMware vSphere Web Client Service

You then need to re-register the Web Client plug-in with vCenter.

This can either be done from the Web Client Administration Tool by browsing to:

https://localhost:9443/admin-app/

but as I don’t like having to hassle with installing Adobe Flash on the vCenter Server I prefer to unregister and then register again with the command line tool.

Open a command prompt and change directory to:

C:\Program Files\VMware\Infrastructure\vSphere Web Client\scripts

To unregister the Web Client, run the admin-cmd script pointing to your vCenter Server and use an admin username and password

admin-cmd unregister https://lonvc01.lab.int:9443/vsphere-client lonvc01.lab.int lab\lab-svc-vc *password*

Type Y to unregister the vCenter Server system

Type Y to ignore the SSL Certificate for this operation.

image

To register the Web Client, run the admin-cmd script pointing to your vCenter Server and use an admin username and password

admin-cmd register https://lonvc01.lab.int:9443/vsphere-client lonvc01.lab.int lab\lab-svc-vc *password*

You then get prompted with a certificate warning. I haven’t been able to work out why as it seems to imply the new certificate is not trusted. This procedure does work though and when you check it at the end the trusted certificate has been used by the Web Client. Annoying, if anyone can explain I would appreciate it!

Type I to ignore the SSL error for this operation.

image

The certificate will has now been installed.

This can be checked by using a browser and navigating to the Web Client using the FQDN or DNS alias of the vCenter server rather than localhost so the certificate details match the client request:

https://lonvc01.lab.int:9443/vsphere-client/

image

Part 6 will show you how to replace the default vCenter 5 Inventory Service certificate.