Replace VMware Update Manager 6.0 SSL certificates with domain CA signed certificates
The Problem
You just installed Update Manager and you keep getting that annoying SSL pop up when opening the C# client saying its not trusted, that sucks right? Why not spend a bit of time to get rid of that pop up (and not just click the install certificate button). You may have other reasons to replace the certificate as well.
The Solution
I am going to put the VMware KB on this issue https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1023011 into easy to follow instructions. Who doesn’t like pictures?
Step 1 – Create config file to punch into OpenSSL for CSR creation
Create a new file with the name updatemanager.cfg with the following contents
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
<span style="font-family: Courier New;">[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: <em>ServerShortName</em>, DNS: <em>ServerIPAddress</em>, DNS: <em>server.domain.com</em> [ req_distinguished_name ] countryName = <em>Country</em> stateOrProvinceName = <em>State</em> localityName = <em>City</em> 0.organizationName = <em>Company Name</em> organizationalUnitName = VMwareUpdateManager commonName = <em>server.domain.com </em></span> |
Make sure you update the highlighted items below to reflect your organisation and server details
Step 2 – Install OpenSSL
Head over to http://slproweb.com/products/Win32OpenSSL.html and grab a copy of Win OpenSSL suitable to your operating system.
run through the install wizard and head onto Step 3
Step 3 – Create certificate signing request and RSA key
To make things easier, copy the updatemanager.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command
1 2 3 4 5 |
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config updatemanager.cfg <span style="font-family: Courier New;"><a href="https://www.snurf.co.uk/wp-content/uploads/2017/02/VUMSSL3.jpg"><img class="alignnone wp-image-157 size-full" src="https://www.snurf.co.uk/wp-content/uploads/2017/02/VUMSSL3.jpg" alt="CMD1" width="673" height="175" /></a> </span> |
Then run the following command
1 2 3 |
<span style="font-family: Courier New;">openssl rsa -in rui-orig.key -out rui.key <a href="https://www.snurf.co.uk/wp-content/uploads/2017/02/VUMSSL4.jpg"><img class="alignnone wp-image-158 size-full" src="https://www.snurf.co.uk/wp-content/uploads/2017/02/VUMSSL4.jpg" alt="CMD2" width="674" height="146" /></a></span> |
You will end up with 3 new files in the directory
Step 4 – Submit CSR to Microsoft Certificate Authority
Crack open the rui.csr file in your favourite text editor and copy the contents. Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate
Then choose submit a certificate request by using a base-64-encoded CMC
Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here
Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.
Step 5 – Convert CA issued certificate into PFX format
Open the file you have just downloaded from the CA and remove the trailing space. There is a note in the VMware KB about having no extra characters in the certificate.
change the file extension to *.CRT from *.CER
Run the following command with OpenSSL
1 |
<span style="font-family: Courier New;">openssl pkcs12 -export -in rui.crt -inkey rui.key -name "rui" -passout pass:testpassword -out rui.pfx</span> |
This will create the PFX file as seen above.
Step 6 – Replace Update Manager default certificates
Backup the files rui.crt, rui.key, and rui.pfx, located in the <Update_Manager_installation_directory>\SSL folder and replace the old rui.crt, rui.key, and rui.pfx with the files you created.
Stop the VMware Update Manager service
Navigate to the <Update_Manager_installation_directory> and run the VMwareUpdateManagerUtility
Login and select SSL Certificate. Tick the box and click Apply
Once the process is complete you will receive the following message
Start the update manager service again
Now all being well, next time you run the C# vSphere client, there wont be the annoying pop up message about SSL certificates not being trusted.
Hopefully you found this post useful
Ian
Hey man, you are amazing. I am doing cert replacement on VUM for the very first time and these steps are very clear, much clear then VMware. Good job there.