Replace VMware Update Manager 6.0 SSL certificates with domain CA signed certificates

The Problem

You just installed Update Manager and you keep getting that annoying SSL pop up when opening the C# client saying its not trusted, that sucks right? Why not spend a bit of time to get rid of that pop up (and not just click the install certificate button). You may have other reasons to replace the certificate as well.

The Solution

I am going to put the VMware KB on this issue into easy to follow instructions. Who doesn’t like pictures?

Step 1 – Create config file to punch into OpenSSL for CSR creation

Create a new file with the name updatemanager.cfg with the following contents

Make sure you update the highlighted items below to reflect your organisation and server details

Step 2 – Install OpenSSL

Head over to and grab a copy of Win OpenSSL suitable to your operating system.


run through the install wizard and head onto Step 3

Step 3 – Create certificate signing request and RSA key

To make things easier, copy the updatemanager.cfg file you created earlier into the BIN folder. Fire up a command prompt window and navigate to the OpenSSL Install Directory/Bin. Run the following command

Then run the following command

You will end up with 3 new files in the directory


Step 4 – Submit CSR to Microsoft Certificate Authority

Crack open the rui.csr file in your favourite text editor and copy the contents. Now head over to your internal CA at http://internalCA/certsrv and select Request a Certificate


Then choose submit a certificate request by using a base-64-encoded CMC


Paste the CSR into the request box and choose the appropriate Certificate Template. For more information on creating certificate template for vSphere 6 take a look here


Once you have clicked submit, download the certificate in Base 64 encoded format and save it to the BIN folder in the OpenSSL directory you used earlier.


Step 5 – Convert CA issued certificate into PFX format

Open the file you have just downloaded from the CA and remove the trailing space. There is a note in the VMware KB about having no extra characters in the certificate.


change the file extension to *.CRT from *.CER


Run the following command with OpenSSL

This will create the PFX file as seen above.

Step 6 – Replace Update Manager default certificates

Backup the files rui.crt, rui.key, and rui.pfx, located in the <Update_Manager_installation_directory>\SSL folder and replace the old rui.crt, rui.key, and rui.pfx with the files you created.

Stop the VMware Update Manager service


Navigate to the <Update_Manager_installation_directory> and run the VMwareUpdateManagerUtility


Login and select SSL Certificate. Tick the box and click Apply


Once the process is complete you will receive the following message



Start the update manager service again


Now all being well, next time you run the C# vSphere client, there wont be the annoying pop up message about SSL certificates not being trusted.


Hopefully you found this post useful


You may also like...

1 Response

  1. Roman says:

    Hey man, you are amazing. I am doing cert replacement on VUM for the very first time and these steps are very clear, much clear then VMware. Good job there.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.