Replace VMware Update Manager 6.0 SSL certificates with domain CA signed certificates


The Problem

You just installed Update Manager and you keep getting that annoying SSL pop up when opening the C# client saying its not trusted, that sucks right? Why not spend a bit of time to get rid of that pop up (and not just click the install certificate button). You may have other reasons to replace the certificate as well.

The Solution

I am going to put the VMware KB on this issue https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023011 into easy to follow instructions. Who doesn’t like pictures?

Step 1 – Create config file to punch into OpenSSL for CSR creation

Create a new file with the name updatemanager.cfg with the following contents

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: ServerShortName, DNS: ServerIPAddress, DNS: server.domain.com

[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = VMwareUpdateManager
commonName = server.domain.com

Make sure you update the highlighted items below to reflect your organisation and server details
updatemanager.cfg

Step 2 – Install OpenSSL

Head over to http://slproweb.com/products/Win32OpenSSL.html and grab a copy of Win OpenSSL suitable to your operating system.

OpenSSL

run through the install wizard and head onto Step 3

Step 3 – Create certificate signing request and RSA key

To make things easier, copy the updatemanager.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config updatemanager.cfg

CMD1

Then run the following command

openssl rsa -in rui-orig.key -out rui.key

CMD2

You will end up with 3 new files in the directory

CSR

Step 4 – Submit CSR to Microsoft Certificate Authority

Crack open the rui.csr file in your favourite text editor and copy the contents. Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate

CertSrv1

Then choose submit a certificate request by using a base-64-encoded CMC

CertSrv2

Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here

CertSrv3

Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.

CertSrv4

Step 5 – Convert CA issued certificate into PFX format

Open the file you have just downloaded from the CA and remove the trailing space. There is a note in the VMware KB about having no extra characters in the certificate.

Cert1

change the file extension to *.CRT from *.CER

CSR2

Run the following command with OpenSSL

openssl pkcs12 -export -in rui.crt -inkey rui.key -name "rui" -passout pass:testpassword -out rui.pfx

CMD3
This will create the PFX file as seen above.

Step 6 – Replace Update Manager default certificates

Backup the files rui.crt, rui.key, and rui.pfx, located in the <Update_Manager_installation_directory>\SSL folder and replace the old rui.crt, rui.key, and rui.pfx with the files you created.

Stop the VMware Update Manager service

VUMUtility1

Navigate to the <Update_Manager_installation_directory> and run the VMwareUpdateManagerUtility

VUMUtility2

Login and select SSL Certificate. Tick the box and click Apply

VUMUtility3

Once the process is complete you will receive the following message

VUMUtility4

VUMUtility5

Start the update manager service again

VUMUtility6

Now all being well, next time you run the C# vSphere client, there wont be the annoying pop up message about SSL certificates not being trusted.

 

Hopefully you found this post useful

Ian

Leave a comment

Your email address will not be published. Required fields are marked *